January 2008

Remote-control device – the new gun of bank robbers

Bank robbers have found a very interesting technique.

From The Local article Police thwart remote-control bank heist:

Surprised last August to suddenly see his computer cursor moving on its own, the employee at the Knivsta branch of Swedbank, north of Stockholm, “discovered a cable connected to his computer linked to a remote control device fastened under his desk,” local police spokesman Christer Nordström told AFP.

The employee quickly pulled the plug, interrupting a transfer of several hundred million kronor, Nordström said.

And how they managed to install this remote-control device? According to the news sources during a break-in before the incident – no money had been stolen from the bank during a break-in.

A comment posted to Technocrat.net is pointing to another interesting case (from CIO Update article) confirmed as keylogger case:

The story is still developing but this is what we know: Thieves masquerading as cleaning staff with the help of a security guard installed hardware keystroke loggers on computers within the London branch of Sumitomo Mitsui, a huge Japanese bank.

These computers evidently belonged to help desk personnel.

Swedbank is the leading bank in Sweden, Estonia, Latvia and Lithuania with more than 21,700 employees serving 9 million private and 480,000 corporate customers.

“php shell script on my server”


I have a webserver where i’ve found several different php shell scripts and I’d like to know how they got there.  Are there known vulnerabilities that allow uploading of php files to a server?

I have several sites running on this server with several php script packages including…


Any ideas or pointers will be appreciated!

A: Hi,

There are several vulnerabilities in both off the shelf products as well as custom PHP scripts that would allow “uploading”, in essence they don’t need to upload, they just need to get your PHP scripts to execute an arbitrary (outside) PHP script.

PHPbb has several:

Listed as Code Execution, Arbitrary File Upload, etc.

While zencart has just one problem:

But that could be misleading, and just mean that the software is very uncommon.

MBR rootkit – here’s some references

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story – link here.

From the post based to Verisign iDefense data:


  • Oct. 30, 2007 – Original version of MBR rootkit written and tested by attackers
  • Dec. 12, 2007 – First known attacks installing MBR code
    about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

Google as an RBL

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM :)

The danger of course is that the term could be simply popular – but the trick here is that I’m using something very special as the search term – the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM – either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick – a few seconds to get a respond – a disadvantage is that you cannot just “hammer” them with searches or they will block you – maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.

Facebook’s My Admirer is gone – and was there spyware at all?

My Admirer application (previously known as Secret Crush) has been removed from Facebook now. The installation process was canceled during the weekend, but now it is finally gone.

Fortinet reported about the Zango spyware installation related to this application last week. The issue was described in this SecuriTeam post.

Response from Zango Inc. is interesting to read – link to the Zango blog here.

From the post:

At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being “secretly installed” is simply not true.

It appears that there was no automatic installation of spyware at all.

My name is Zango, I am spyware and I found Facebook applications

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.