[SecurityRatty] tag: youtube

Zango And The Batman Online Videogame

Wed, 03 Sep 2008 07:00:00 +0000

This is Newsarama, a site (mostly) geared around comics and other related media:

Click to Enlarge

You'll notice Batman, over on the right there. Let's take a closer look:

"Free Online Batman Game"? Well, that's curious because I follow comics pretty closely and I'd be the first to know if an "Online Batman Game" had been in the works (this advert has been doing the rounds on numerous comic-related websites. Visit the URL in the ad - Batmangame.info - and you'll see this...

Click to Enlarge

There it is again - "Online Batman Game". Furthermore, the text goes on to say:

"Batman Online lets you do anything and every little thing you'd like in a Batman game. From leveling up your character to destroying villans, it has it all. Download and play this amazing game now, all for free! I'm sure you'll be playing for hours on end, it's that much fun.

    Level Up Your Character

   Explore a Huge Vast World

   Play Online With Your Friends

   Hundreds of Quests To Finish

   Perfect Battle System

So start your Batman adventure today! Download the full game below and fight them all!"

Note that they specifically call it "Batman Online". It specifically sounds like a text blurb you'd expect to see with a MMORPG. However, something isn't quite right here.

1) The only DC licensed MMORPG anybody knows of is this, and it isn't due out until 2009. It's not Batman-centric, either.

2) The screenshots are lifted from the Batman Begins videogame, which came out in 2005. If you were offering a "Batman Online Game", wouldn't you use screenshots from that instead of an unrelated title?

3) Absolutely no licensing, copyright or legal mumbo-jumbo on the page anywhere. DC and Warner Bros don't roll like that.

4) The website - Batmangame(dot)info - is registered anonymously. Not exactly something you see everyday for websites related to licensed DC franchises such as Batman videogames.

5) "To download and play the Batman Online Game you must download and install Zango as well. It is free, very easy to install and will give you access to the full game."

Shall we continue?

Click to Enlarge

A Zango installer prompt, complete with picture of Batman at the top. If you say "No" to the install, you end up on Google.com. What happens if you click "Start"? Well, you'll get the usual collection of Zango installer screens including one that rather humorously has a guy in a superhero costume.

Once everything is installed, you're taken to another page and from here things just get plain confusing. Remember, up to this point you've been promised an "Online Batman Game", the description of which is clearly intended to evoke images of a MMORPG. However....

Click to Enlarge

All of a sudden, you're being told you're downloading "Batman: Vengeance" on a cheap-looking splash page and shown what looks like an unofficially ripped Batman: Vengeance trailer on Youtube.

In case you're unaware, Batman: Vengeance is a videogame first launched way back in 2001 for consoles (followed shortly after by a PC version). What does this have to do with an "Online Batman Game"? Well, nothing, actually. Aside from the fact you were presented with one thing and are now handed another, things get even stranger when you see the download location:

Click to Enlarge

Have you ever heard of an officially licensed game being offered via Rapidshare downloads? It's possible, I guess, but it seems a little odd. However, the real oddness is reserved for the "Online Batman game" itself.

Remember, we've been promised "Hundreds of quests", "A huge vast world", the ability to "level up your character" and (of course) the "play online with your friends" promise of greatness.

Click to Enlarge

Imagine your dismay, then, when you've installed Zango, downloaded the game from Rapidshare using up around 140MB of bandwidth, installed it and....

Oh dear.

Not only are you given a totally different game than what was advertised, you're given a DEMO VERSION of that game with four short sample levels present, no online functionality and quite a few less quests than the "hundreds" advertised.

Hilariously, you can download a 100% legit copy of this demo here at Fileplanet, sans Adware. Setting aside the issue of whether this file is actually sitting on Rapidshare with either Ubisoft or DC / Warner Bros permission (and if it IS okay to be there, I'm pretty sure it's NOT okay to falsely advertise it as some kind of MMORPG) there are some questions that need to be raised here.

When this guy approached them with his website, did nobody stop to think that this game did not actually match up with the "Online Batman" game it was touted as? Didn't someone at Zango Quality Control actually download the game and see the big "This is a demo" wording as soon as it starts up? Or question why the screenshots on the website don't look like the graphics for Batman: Vengeance in the slightest?

However you look at it, this is a scam, pure and simple. Whoever came up with the idea of an "Online Batman Game" is lying through their teeth. Of course, because their website is registered anonymously we have no idea who the culprit is, unless of course Zango want to deposit them on the steps of Gotham City and let me dispense some Batman-style justice to their posterior.

However, based on the way these things tend to go - God forbid anyone ever offer up the identity of someone happily scamming the public at large, even when that person is dragging the name of the company associated with them through the mud by their antics - I think I might be waiting some time for the Bat Signal...

Don't Panic

Fri, 29 Aug 2008 13:03:16 +0000

Sometimes it's easy to believe that every last thing online is going to eat into your PC, burn your house down, kill your cat and so on. The last few days I'd been hearing rumblings about some "Youtube rap video" and a file that would start hijacking your PC - well, thanks to a tipoff from a forum-goer at Spywarewarrior, I can hopefully put this one to rest.

In short, a video promoting a rap mix-tape supposedly took you to a file that "hijacked your PC with Spywarestop". In actual fact, there's no file to hijack you. Let's take a look - here's the Youtube page in question:

Click to Enlarge

As you can see, there's the mix-tape being advertised and a link to Mediafire, where the mix-tape is hosted. Click the Mediafire link, and all that happens is you'll see an advert for various antispyware tools - some of them on the Rogue Antispyware list, some of them not on the list but known to be of little worth to the end-user.

Click to Enlarge

In this particular case, it's an advert for Adware Alert. It's not hijacking you, or breaking things or making your browser fly around the screen, nor is it a "virus". It's just an (admittedly loud) advert. If you're running a browser compatible with Adblock Plus, all you'll see beneath the Mediafire logo is a blank space. Even if you're vaguely alarmed by the advert, all you have to do is click the "Continue to Mediafire.com" message at the top right of the screen (missing from the above screenshot as I cropped the image too small - whoops) and you'll be taken to the file you requested.

Like the title says - don't panic. This really isn't something to worry about too much. Even the most obnoxious rogue antispyware advert (the ones that do resize your browser, throw up endless popups and make annoying "Woop woop" noises) can usually be escaped by simply hitting CTRL+ALT+DEL and using Task Manage to close your browser session.

Automatic Email Harvesting 2.0

Tue, 26 Aug 2008 04:01:51 +0000

Just when you think that email harvesting matured into user names harvesting in a true Web 2.0 style with the recently uncovered harvested IM screen names, and Youtube user lists for spammers, phishers and malware authors to take advantage of, someone has filled in the gap that's been around as long as email harvesting has been a daily routine for spammers - dealing with text obfuscations which still remain highly popular online, once it became evident that spammers are in fact crawling for default mailto lines. This email harvesting module can be run a separate script, or get integrated as a module within any botnet, is capable of harvesting the following text obfuscations often used in order to prevent spamming crawlers :

mail@gmail.com
mail[at]gmail.com
mail[at]gmail[dot]com
mail [space]gmail [space]com
mail(@)gmail.com
mail(a)gmail.com
mail AT gmail DOT com

The overall availability and easy of obtaining a huge percentage of valid email addresses within an organizaton, is not just resulting in the increasing segmentation and localization of spam, phishing and malware campaigns, it's increasing the profit margins for the spamming providers which is now not just offering verified to be 100% valid email addresses, but also, can providing the foundations for spear phishing and targeted attacks.

Quality assurance in spaming is still in its introduction phrase, with customers starting to put the emphasis on the number of emails that actually made it through the spam filters, than the number of emails sent as a benchmark for increasing the probability of bypassing anti spam filters. Taking into consideration the big picture, sniffing for email addresses streaming out of malware infected hosts, and stealing huge email databases by exploiting vulnerable online communities, seems to be the tactics of choice for the majority of individuals whose responsibility is to continuously provide fresh and valid email addresses.

Lost.....and Found

Fri, 15 Aug 2008 10:20:17 +0000

The practice of affiliates signing up with Zango then hiding pirated movies behind their installer prompt ([1], [2]) takes another twist, as we go hunting for TV episodes instead of movies and find....

Click to Enlarge

......TV shows (apparently ripped and streamed from Chinese Youtube-style websites), hidden behind Zango installer prompts. Obviously, this is something of a mini industry we have here but I'm faintly alarmed that so many of these affiliates are happily churning out these kinds of sites. I'm also pretty sure Zango doesn't want people seeing what effectively says "Free ripped off movies online sponsored by Zango" on their installer prompts, either.

As a side note, it's not just Zango affiliates doing this - here's another example, this time for something called "Cpalead.com" that wants you to fill in a survey in return for seeing "free" episodes of Lost:

Click to Enlarge

In case you were wondering, my monitor isn't broken, they just grey out the page when the popup appears. The Lost episodes appear to be ripped by end-users and uploaded to Megavideo.com.

The sites above are

lost-stream(dot)com
ietv(dot)co.uk/category/watch-lost-online
watchprisonbreakonlinefree(dot)com
watch-lost-online(dot)info
www.heroesstreaming(dot)com

I guess I ended up with a trilogy after all.

Spamblogs Pushing Rogue Antivirus Programs

Mon, 11 Aug 2008 14:50:05 +0000

Nothing earth-shattering, but worth a mention anyway. I've noticed a couple of blogs pushing security blog feeds are also hawking pretend Youtube vids:

Click to Enlarge

When the videos are clicked, you'll find your browser vanishes down onto the taskbar, replaced by this sitting in the middle of the screen:

Once you click the popup box away, you're confronted with this:

Click to Enlarge

...a randomly selected rogue antivirus product. From here on it, any and all attempts to get rid of this page results in an endless barrage of popups, scare tactics ad hilariously lame warning messages (note the first one is called a "Security Update"):

Wow, they just get more and more hysterical, don't they?

The site to block that's pimping the fake videos is

thoughtcrime(dot)blogtodo(dot)com

On TV Warfare

Mon, 11 Aug 2008 13:41:00 +0000

It is simply amazing that all the countries now "get it" that war happens primarily on TV (this vs this; many other examples are around). It is also amazing that there is NO way to know where "media reporting" ends and "psyops" begin. So, a burning tank with no clear markings that you see on TV might be:

Tank belonging to warring side A
Tank belonging to warring side B
Just a tank that was passing by and got hit by mistake :-)
Something that looks like a burning tank
An archive shot that reporter added for visual impact

Same applies to the "primary weapon" of a modern TV war: "evidence of atrocities of the opposing side."

What's the truth? Who knows... progress brought us "TV wars," is this the first "YouTube war"? But if we cannot believe the media coverage, how can we believe a random video online? Well ... maybe the same way we often believe Wikipedia over Britannica.

In any case, if there was a better time to turn off the TV (and tune off the web news...), it would be now. Also, time to get the dust off my copy of Toffler?

Rant mode off :-)

Pedal to the metal NAC

Fri, 08 Aug 2008 12:01:03 +0000

OK, I am not really a big car racing fan. I don’t know, Long Island was not a NASCAR hot bed. Of course the Indy 500 was always big news. In any event I have become much more of a race fan since Chip Ganassi racing became a StillSecure customer. They are using a complete NAC solution that performs both pre and post connect testing. Racing today is not about some gearheads putting in spark plugs and changing tires. It is high, hi-tech and their information security needs to protect their IP are high priority.

Rather than the usual case study, our VP of marketing Jayson Ayers actually tried something new. A video case study is what we have done. I think it is pretty cool and in the spirit of the YouTube generation, am embedding it here. You can read more about this on our site here.

Listening to the evidence

Thu, 07 Aug 2008 20:24:33 +0000

Last week the House of Commons Culture, Media and Sport Select Committee published a report of their inquiry into “Harmful content on the Internet and in video games“. They make a number of recommendations including a self-regulatory body to set rules for Internet companies to force them to protect users; that sites should provide a “watershed” so that grown-up material cannot be viewed before 9pm; that YouTube should screen material for forbidden content; that “suicide websites” should be blocked; that ISPs should be forced to block child sexual abuse image websites whatever the cost, and that blocking of bad content was generally desirable.

You will discern a certain amount of enthusiasm for blocking, and for a “something must be done” approach. However, in coming to their conclusions, they do not, in my view, seem to have listened too hard to the evidence, or sought out expertise elsewhere in the world…

Google/YouTube told them that 10 hours of video was posted every minute, and the amount is increasing. In the oral evidence session an MP helpfully suggested: “That video content is tagged. You do not need to look at every single minute of video content. Surely you could have people who would look at the video content which is tagged with labels which suggest it could be inappropriate.” Of course “happy_slapping.wmv” or “fluffy_bunnies.avi” must always contain exactly what it says on the tin (not!) but unaccountably Google said it was a “fair suggestion”, so perhaps my cynicism is misplaced.

However, back to blocking.

I submitted some evidence of my own, which the committee summarised, reasonably accurately:

Dr Richard Clayton, a researcher in the Security Group of the Computer Laboratory at Cambridge University and author of several academic papers on methods for blocking access to Internet content, pointed out that there was no single blocking method which was both inexpensive and discerning enough to block access to only one part of a large website (such as FaceBook). In his view, the fatal flaw of all network-level blocking schemes was the ease with which they could be overcome, either by encrypting content or by the use of proxy services hosted outside the UK.

The committee’s conclusion, having read this was:

At a time of rapid technological change, it is difficult to judge whether blocking access to Internet content at network level by Internet service providers is likely to become ineffective in the near future. However, this is not a reason for not doing so while it is still effective for the overwhelming majority of users.

which I suppose logically means that the committee thinks that blocking should now be discarded as a policy option — but somehow I think that isn’t their intended meaning.

The Committee should perhaps have a look at this Australian report, which found that ISP level content filtering (and in Australia the politicians want to use ISP level filtering to provide a child-friendly Internet) did work (up to a point) at Tier 3 (the smallest) ISPs. The up-to-a-point is that unlike previous tests the systems didn’t completely wreck the browsing experience by slowing it down. However, the systems blocked only 85-98% of illegal material and similar percentages of material suitable for adults but not for younger children. Interestingly some products were better at different categories.

Getting that many sites wrong is really quite significant, so it’s difficult to see this as a ringing endorsement for blocking the web. Additionally, the Australian report found that the blocking was useless on “non-web” protocols (such as peer-to-peer) and their report specifically didn’t consider cost, or ease of circumvention — so it’s not just UK politicians not wanting to consider evidence on that topic!

Finally, I should note that the Culture Media and Sport Committee has also ignored some rather more recent academic work. The MPs have put into their report that they were horrified to discover that child sexual abuse images took 24 hours to remove in the UK. What (should they ever learn of it) will they make of the recent discovery by Tyler Moore and myself that shows that if the website is hosted abroad then a month is more to be expected?

Strange Digg.com Spamming

Wed, 06 Aug 2008 03:51:10 +0000

I saw this in the security section earlier today:

Click to Enlarge

Each one links to a page on a website called Tubeteases(dot)com, and each page streams a Youtube video - usually females bouncing around in various states of undress.

Click to Enlarge

Usually with spam like this, there's a financial incentive - however, I'm having a hard time working out what the motive is here. There are no clickable ads to make money from on the site - it's just page after page of miniaturised Youtube clips.

Click to Enlarge

No popups, no flashing banners, no mousetraps.....nothing.

I thought I'd worked it out when I scrolled down the page and saw a large advert for a webcam site. Aha! Obviously the gimmick is luring you to the above video site then get you to pay up for webcam access, right?

Well, not exactly...

Click to Enlarge

...."Free"? Oh dear, this isn't going well. They don't even have the advert for the webcam site at the top of the page, it's stuffed down at the bottom somewhere so I can't even claim "in-your-face" advertising.

At the very bottom, I saw a set of weblinks to other sites - surely this is the gimmick then? Entice potential webmasters to pay up for links placed on-site? Well, as it turns out, no. Clicking the "free slots available" link simply takes you to a page offering a free link placement script.

Normally spam = profit. Here though, I can't see that this follows the usual pattern. Perhaps someone woke up feeling philanthropic and randomly decided the best course of action for Digg.com users was watching hundreds of postage-stamp sized clips of semi-naked females.

We can tell them off for spamming Digg though, so we've got them there...

The Twitter Malware Campaign Wants to Bank With You

Tue, 05 Aug 2008 03:14:42 +0000

In what appears to be a lone gunman malware campaign -- where the malware spreader even left his email address within the binary - the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm - Cross-site request forgery (CSRF). More info :

"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular."

Let's analyze the campaign before it was shut down. The original Twitter account used twitter.com/video_kelly_key basically included a link to player-video-youtube.sytes.net (204.16.252.98) which was using a URL shortening service fly2.ws/NilOMN3 in order to redirect to the banker malware located at freewebtown.com/construimagens/ Play-video-youtube.kelly-key.com. It's detection rate is as follows :

Scanners Result: 14/36 (38.89%)
Trojan-Spy.Win32.Banker.caw
File size: 88064 bytes
MD5...: 25600af502758ca992b9e7fff3739def
SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn't an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come handy for what's to turn into a major security incident if not taken care of promptly.

Related posts:
XSS The Planet
XSS Vulnerabilities in E-banking Sites
The Current State of Web Application Worms
g0t XSSed?
Web Application Email Harvesting Worm