ScamWatch

An update has been released which introduces a number of new features. It now uses the Windows Common Controls plus a few other libraries, so need to be installed running an installer.

It can be downloaded at
http://www.kennethsorling.se/downloads/unzixwin_0_1_1.zip

window.onbeforeunload = function() {}
Unzip the contents, run the installer. It creates a program group and shortcut on the start menu. Launch it from there.

UnZixWin can now extract multiple files in one go. Internal paths should be preserved upon extraction, so any hierarchy in the archive would be preserved.

CTRL-A selects all files,
CTRL-N deselects all files, and you can select/deselect single files with CTRL-click, and a range of files with SHIFT-click. You can also invert the selection by pressing CTRL-I.

Rembember to be safe. Treat the contents of Zix files as highly suspect. Don’t muck around with them without antivirus activated.

When the site was last hacked, the download torrent file for UnZixWin was tampered with. It seems that a few extra trackers were inserted in the end of the chain.
As a result, downloading anything from this torrent file may have resulted in the user receiving a compromised download. I cannot verify this, since my bittorrent client at present doesn’t work properly.

Therefore, I have for the time being removed this torrent file from the site and from the download page. But for some users, the damage may have already been done.

IF YOU HAVE DOWNLOADED THIS TORRENT FILE
sometime between November 30th, 2009 and January 10th, 2010, you should treat the download as suspicious.

WHAT YOU SHOULD DO:

Check your download(s) against these MD5 checksums:

7de05d876779271bda36acf4301f4994 *unzixwin_010_setup.zip
9dd4f6d9e8a60117daecec1a94bd5f72 *UnZixWin_0_0_9.zip
4012fb99b87b642a6ca4e4c90e476373 *unzixwin_0_1_0_exe.zip

If the MD5 checksum for any file you’ve downloaded matches, then the file is as I presented it on the site. Otherwise, it may have been compromised.

HOW TO CHECK MD5 CHECKSUMS:

Several tools are available for download from the Internet. I recommend hkSFV from http://www.big-o-software.com

Install the tool, run it on a specific file or a whole folder from the right-click context menu (select hkSFV -> Create MD5), and then open the resulting md5 file and compare the sums.

WHAT DO I DO IF MY FILES MAY BE COMPROMISED?

* Stop seeding the file immediately! How to do this depends on your bitTorrent client of choice.
* Delete the downloaded file from your system.
* Run a full system scan with your Antivirus / Antispyware package of choice.

My sincere apologies for any inconvenience.

Well, over the holidays, my website was hacked once again. This is the third time in as many months this has happened.

Apparently, I wasn’t the only one affected. My hosting company, who this time were kind enough to warn me about the issue, maintains that the hacker somehow obtained my FTP password. Myself, I’m beginning to suspect that there’s a vulnerability in Apache Server which has yet to be addressed. The nature of the hack suggests that a kind of worm, or other unintelligent automated process, was to blame for the attack. It acted much like the “F*ck PoizonBox” worm which struck millions of websites a few years ago. It only targeted a certain kind of files, rewriting them in a manner that suggests very clumsy automation.

Nevertheless, I changed the password and replaced the affected files. For now, the ScamWatch blog will have to act as the front page for my website, which is maybe just as well, since the old one was, frankly, embarrassing.

What did the hack do?

It did two things: rewrite certain HTML files so as to inject a hidden IFRAME into the document, one which loaded a parameterized URL to a known hacker site.

The second thing it did was to tamper with the default actions of the site, so that any broken URL’s would cause a redirection to aforementioned site. This is more nefarious, since for example trying to browse any unindexed folder via a raw URL would cause a 403 error, which would send you to the malicious site.

Once there, you would be subjected to false alerts about a possible infection, and offered to download a solution… which, naturally, woúld have flooded your system with spyware. Sigh!

Why did they do it?

At first, I suspected a case of retalliation. Fighting the crooks who spread spyware and malware makes me and my site a natural target for certain kinds of payback attack. It was naive of me not to expect it. I’m just surprised it didn’t happen sooner.

However, the nature of the attack, and the fact that I’m not alone to have suffered, suggest that it wasn’t personal. It seems that the script kiddies (read: stupid hacker snotnoses) are having a harvesting contest to count how many sites they can compromise. It’s one of the many ways they have of comparing their tiny penises.

Have any visitors been affected? Is there a risk coming here?

Fortunately, no. The hacks were so blatantly stupid and badly written that they couldn’t have worked in any browser. Cleaning them up is a nuisance, but they aren’t dangerous to visitors. Not ones who know what they’re doing.

The broken URL hack, however, would have worked. I tested it myself on a sandboxed computer to see what would happen in certain scenarios. It has now been fixed.

Has UnZixWin, or any other software, been compromised?

Nope. None of the downloads have been tampered with. They are still safe to download and install.

What are you going to do about it?

On the bright side, it has rekindled my faltering interest in online security once more. After a post-mortem analysis of their tricks, I’m considering a multi-pronged defence mechanism constituting of the following:

* A daily, scheduled, automated system to check the health of my sites to detect and repair any tampered files

* A script, included everywhere, to automatically detect and remove hostile IFRAMEs before they have any chance of triggering.

* A new article, detailing the hacks in technical detail

And, while I’m in the process of doing all that,

* A major overhaul of the whole site. It has been long overdue.

Watch this space.

In case you’re unfortunate enough to have already installed the PlayVix player, and have thus infected your system with spyware, getting rid of it isn’t so trivial.
To make matters worse, other scammers are cashing in on this scam in unexpedted ways.
There is a video on YouTube which claims to show you how to remove PlayVix. Only, surprise, it doesn’t. What it does is direct you to a site which promises a “PlayVix Removal Guide”.
That guide offers no help at all, although it seems to describe the PlayVix spyware scam quite accurately. It then offers you a clickable, suspiciously anonymous, link to yet another site where you can get instructions on how to remove PlayVix.
That site turns out to be the download page for Registry Easy, a tool which claims to fix your every problem, including toothache, FOR FREE!

Be aware that this software is flagged by several tools as malware. It is itself a spyware kit, and you may have to take additional steps to get rid of that.

I’ll keep investigating PlayVix and if I come across removal instructions which actually work, I’ll post them here.

In the meantime, my only suggestion is that you reinstall your computer from a bootable CD, after backing up your data files, off course. It’s a bitter pill to swallow, but it actually helps get rid of the spyware. And, unlike Registry Easy, it will probably also speed up your system.

The scammers are at it agan.

If you come across a video file which, on playback, shows you this:

Beware! It’s yet another form of the old DivoCodec scam, this time with a new twist.

If you’re familiar with the DivoCodec scam, you probably vaguely recognize the screenshot. It’s surprising how predictable these crooks are: They choose the same color scheme for their bullshit title screens every time. Red and white text on a black background.

In case this is your first visit, here’s the quick and dirty rundown: This is a trick to try to make you install infected software on your system. The PlayVix “player” they are offering is highly likely to be spyware, or to quietly load and install spyware while running. Also, the information they force you to submit before downloading the player will be sold on. At minimum, you open your e-mail address to a flood of spam.

The way these bastards usually work, you still won’t get to watch the movie you expected to. If there is any content in there at all, it will probably be tranny porn or something uninteresting taped off TV. April Fools!

So don’t do it. You’ll be compromising your computer with no benefits.

Technicalities:

These videos come masked as AVI files, but are actually ASF/WMV files renamed. They make use of the DRM (Digital Rights Management) encryption already mentioned in another blog.

WARNING!
Since the DRM mechanism installed in Windows Media Player offers to contact the content publisher (read: criminals) and purchase a “licence” for the content at the publisher’s site, this is another way for the scammers to get you. The DRM mechanism is vulnerable to hack attacks, and your computer may become silently hi-jacked in the process. So don’t do that either. Read my previous post on the DRM scan to find out why it’s dangerous.

My advice is to try another torrent for the content you wanted to see. And, please, stop seeding any video file which behaves this way. Don’t help snare other unsuspecting victims.

Can this format be cracked?

I’m not yet sure, but my hopes aren’t high. The main content, if there is any, may make use of the DRM encryption system, which is notoriously hard to crack, if it can be done at all. So, unlike the previous formats, I probably can’t extend my UnZixWin app to extract the hidden content. But I’ll keep snooping and pondering the problem. Any feedback with any details is welcome here.

Good news for Linux/UNIX users:

Fellow scambuster Mike Frysinger has created a C program which extracts the contents of ZIX archives, and put the package online. He calls it funzix, and its homepage is located at http://funzix.sourceforge.net/

It’s a command-line utility, and has been confirmed by Mike to work with both version 1.0 and 2.0 zix archives.

The package can be found at SourceForge, and is supposedly platform independent. Since his development platform is unix-based, developers working in other platforms may have to do some massageing to build. In particular, the makefile. What needs to be done should be obvious. Also, you’ll need a copy of the ZLIB library, if you don’t already have it installed.

Since I posted this entry, I’ve had the chance to check out his code. It’s pretty good; nice, clean and well-commented.

If I have one hesitation, it is the choice of the stdio file handling functions. Invented in a time out of mind, I’m not sure they stand up to the 4GB barrier.(some internal file pointers need to be quad-words, a need unconceived of when the FILE structure was invented). This may have been patched in recent versions and builds of common C development kits and libraries, but you should check your development environment for this.

Kudos to Mike for getting involved, and for sharing his efforts with the rest of us.

First of all, thanks to all of you who have written me with praise and encouragement. Although I may not always reply, it means a lot to me.

This post is just to let you know I’ll be offline for the next few weeks.
(Tip: pay your utilites bills! Those guys aren’t kidding around!).
Until I can whip up the equivalent of roughly $3000, none of my computers will have the power to boot up. Consequently, for all practical purposes, I’ll be offline until further notice. Living in the dark isn’t all that bad; candle light is a romantic touch. But being offline… 😛

Offline doesn’t mean out of touch. I’ll be checking in from time to time, and will be responding to e-mail, but will be unable to seed any new versions or fixes. Furthermore, I won’t be able to investigate any error reports, since I can’t download and test the files which may cause any errors. Don’t let that discourage you from writing, however; I’ll keep the mail, and will respond as soon as I have the power (pun intended) to do so. But you will need to have a bit of patience.

Happy holidays, everyone!

//NeverShaveYourDuck

Many people have had problems running the setup package last published, and I’ve identified the source of the problem.

The last installation package, unbeknownst to me, included a few system DLLs which really didn’t need to be distributed, as they were almost certain to be on the user’s system anyway, and probably in more recent versions.

To all who have tried to install UnZixWin 0.0.9 without success, try downloading this more svelte package. With just a bit of luck, it will work much better.

It is still version 0.0.9, with a minute bugfix. You can now open and analyze files which are still being seeded and/or played. Previously, UnZixWin required exclusive access to the file. This requirement has been removed.