Beware of phone telephone scammers calling on behalf of Google

A new phone scam is underway where people are receiving phone calls by people who state that they calling on behalf of Google. These callers state that they received your name and number from the Google Database and that Google had detected that your computer was infected or had a problem. They further stated that they worked for Gooseberry Tech, who has a partnership with Google to offer a free remote troubleshooting evaluation of your computer. If you agree to this evaluation, they will have you download TeamViewer and will then use it to take remote control of your computer. They will then proceed to poke around your computer, look at event viewer, and check your programs. While doing this they will point out "serious" and "alarming" problems on your computer. When they are done scaring you, they go in for the kill by trying to sell you a one-time fix, for $100, or a maintenance contract for $199.

This is not the first time phone scammers have pretended to be from large companies and offering free troubleshooting services. In the past, phone scammers were calling people and stating that they were from Microsoft who had detected that their computer had a problem. They would then offer to remotely fix their computer for a fee. Eventually Microsoft caught wind of this scam and warned about these scammers on their Windows blog.

I was first alerted to this when a friend said they were infected with the Smart HDD rogue anti-spyware program. They were concerned because they thought the Smart HDD warnings were legitimate and entered their credit card information and phone number. The credit card did not go through, so I alerted him to contact his credit card company and if he chose to keep the same credit card number to at least keep an eye on any charges. The next day, he received a phone call from 321-329-5304 on the same mobile number that he entered on the Smart HDD screen. He told me that the person calling had an Indian accent and was telling him that that they were calling on behalf of Google because it appears that he had a computer infection. He then tried to have him install the TeamViewer software so that they could remotely connect to their computer. Thankfully, my friend realized that something did not sound right, hung up the phone, and called me.

I did a little research on the number and saw that he was not the first person who has had a call from these people. In fact there were other complaints regarding this number and a company called Gooseberry Tech. I started up a Windows XP virtual machine, infected myself with Windows ProSecurity Scanner and gave them a call. A man with an Indian accent named John answered and I explained that I received a phone call from them a few days ago and decided I still needed help. I explained that I think I was infected and he had me go to the site http://www.gbdl.tk/ where I was asked to download and install TeamViewer.

Once TeamViewer was installed, they remotely took control of my computer and started poking around. It was fairly obvious from the beginning that John had absolutely no idea what he was doing. He couldn't understand why Windows ProSecurity Scanner would open when he attempted to run Internet Explorer or Windows Task Manager. I sat there for about 5 minutes watching him continue to try and open these two programs repeatedly until I hinted that it was probably the virus interfering. He then proceeded to look over the Windows Event Viewer where he would point out innocuous messages and state that they indicated I had a a severe problem on my computer. After a while, they went in for the kill and asked me to pay for a support contract, which was quickly declined. They said if I still wanted help I could reach them at 1-800-501-0335, 650-204-4405, or 321-329-5304.

When you visit their web site, www.gooseberrytech.com, you can see how they are really pushing a Google affiliation. There are Google logos everywhere and the Gooseberry logo has a very Googly feel to it. In small print under the Gooseberry logo it states that their parent company is iHorse Technologies, which is a remote support company based out of Toronto, Canada. Furthermore, the company phone number listed on the Gooseberry site is the same that I was given, 1-800-501-0334 and 1-800-501-0335. When you do a Google search for 1-800-501-0335, the first search result is for iHorse Technology.

One alarming thing I have noticed is a connection between these phone calls and the rogue anti-spyware program called Smart HDD. In comments found online, a common theme is that people who have become infected with a rogue like SMART HDD, and who may have possibly purchased it or attempted to contact the malware developers, will then receive a phone call from Gooseberry Tech. This will not be the first time that we have suspected rogue developers are working both sides of the fence. There have been hints of rogue developers not only infecting people for profit, but also creating actual removal blogs in order to generate ad revenue and affiliate commissions from the removal of their software.

At 800notes.com, a popular site used by people to report phone numbers used by scammers, there is a topic about the 650-204-4405 number where many people complain about these scammers. One of the replies to this thread is supposedly from the iHorse president in which he states their company is not involved. I have called and emailed iHorse Technologies but have not received any comment back from them.

With this said, beware of any phone calls from people who state that they are calling on behalf of large companies like Microsoft and Google. Microsoft and Google will not call you to offer free phone support or to tell you that your computer is infected. If we receive these calls, promptly hang up and report it to the FCC or other government authority.

[...]

Firefox 3.6.x reaches end of life.

Firefox 3.6.x reaches end of life.

As expected, the 3.6.x branch of Mozilla's open source Firefox web browser reached its end of life on Tuesday 24 April – no further updates, including security updates and critical fixes, will be made available for the series. According to recent Platform Meeting Notes, users running Firefox 3.6.13 to 3.6.28 should have already started receiving "Major Update" prompts asking them to upgrade to the latest stable release of the browser. All of these users are advised to upgrade as soon as possible.

Full story: http://goo.gl/qZPFw

Mozilla Firefox 12 Final released:
http://www.mozilla.org/en-US/firefox/all.html [...]

Google launches online storage application

Today, Google revealed their newest upcoming product: Google Drive.

Google Drive is an online file storage application similar to Dropbox, but with a twist.

In addition to standard file storage Google Drive offers several additional features including file revision history, built in compatibility with Google Docs, and a powerful search tool to navigate your files.

Google Drive is free to use and comes with 5GB of storage. Additional storage is available for a yearly fee.

Check it out at http://drive.google.com

While Google Drive is not yet available for all Google account holders, it is currently in the process of being rolled out. You can be notified when your Google Drive is available by clicking on the "Notify me" button in the top left corner of the Google Drive page while signed in to your Google Account. [...]

Google increases payouts for their Vulnerability Reward Program

Google announced today that they have increased the payouts for security researchers who privately disclose vulnerabilities in Google Applications. Previously the maximum reward for a single vulnerability was $3,133.70, or $3,133.7 for you leet speakers. With this update to the Google Vulnerability Reward Program, payouts for certain vulnerabilities can now be as high as $20,000. With this higher reward, Google hopes to make it more enticing for security researchers who discover vulnerabilities to report it via "white-hat" methods rather than selling it to buyers who may want to weaponize the information for criminal purposes.

Under the new program, only those vulnerabilities that allow Remote code execution for accounts.google.com, highly sensitive services, or normal Google applications will be able to qualify for the $20,000 reward. Other properties owned by Google, but are not integrated into the following google.com, youtube.com, blogger.com, or orkut.com domains will only qualify for a $5,000 reward. Furthermore, any new acquisitions have a 6 month blackout period after being acquired before they qualify for a reward.

[...]

Facebook to buy Instagram

for One Billion dollarsOne of the most popular photo sharing sites just got a little more powerful. While the war of words between the iOS users and the Android community continues on. Facebook has stepped in to say they will offer one billion dollars for the popular mobile photo app.

Quote

Quote from Mercurynews.com article by Mike Swift 04/09/2012 02:47:42 PM PDT. For the complete article Click Here [...]

New ransomware called Anti-Child Porn Spam Protection

A new variant of the Malware Protection ransomware has been released called Anti-Child Porn Spam Protection. This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files. The hackers then require you to send them a Moneypak, PaySafeCard, or Ukash card for values ranging from $500 - 1,000 USD in order to get the password for your files.

When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id 712113261 to security11220@gmail.com !!).exe. It will then use Sysinternal's SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\dvsdlk\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using a Windows Recovery disk or another offline recovery CD, you can delete or rename the c:\dvsdlk\svchost.exe file in order to regain access to your Windows Desktop. This "lockout" screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

The files that this infection creates when it is installed are:

c:\Documents and Settings\All Users\Desktop\fvd31234.bat
c:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

The Anti-Child Porn Spam Protection ransomware will also create a Windows service with a service name of fdPHosts, a display name of Function Discovery Provider Host Records, and a imagepath of C:\WINDOWS\system32\svschost.exe. This service will run in the background created password-protected copies of new data files that are created on the computer and then delete the originals. Therefore, once you regain access to your computer you should immediately disable this service.

Unfortunately, at this time there is no method to create the passcodes, though one may be created in the future.

---

Update: 4/17/12

This ransomware has been updated today.It still uses the name Anti-Child Porn Spam Protection, but uses some different file names and service names.

The new Windows service that is created is the NIaSvc, with a display name Network Locatlon Awareness and a imagepath of C:\WINDOWS\system32\svschost.exe.

The files that are installed with this variant are:

c:\dc.exe
c:\svchost.exe
c:\Documents and Settings\All Users\Desktop\.bat
c:\Documents and Settings\All Users\Desktop\.txt
c:\ProgramData\.bat
c:\ProgramData\.dll
c:\ProgramData\.dll.dlls
c:\ProgramData\.dlls
c:\ProgramData\svchost.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
[...]

More than 600,000 Macs infected with Flashback botnet

More than half of those infected, are in the United States"Russian antivirus company says half the computers infected with malware designed to steal personal information are in the U.S. -- with 274 located in Cupertino."

Quote

Quote from CNET News Article by Steven Musil Click Here

Following the linked article will also provide you a link for a patch. The article has been updated to provide that patch. [...]

Mojang announces new space game called 0x10c

For the past couple of weeks, Marcus "Notch" Persson, the creator of Minecraft, has been dropping hints about a new game that he is developing. Today, Marcus announced on Twitter that the game is formally known as 0x10^c and that a web site has been launched for this game at http://0x10c.com/. 0x10^c is a space game where spacefarers from 1988 enter deep sleep and wake up at the unintended year of 281,474,976,712,644 AD to discover that the Universe is on the brink of extinction.

While 0x10^c is still in early development, the web site states that it will be a space game with a one-time fee for single-player games and monthly fee for multiplayer games. At this point, the monthly charge for multiplayer has not been decided. The game will contain elements of what Notch calls hard science fiction, which he explains is the game being scientifically plausible with "as few hand-wavey things as possible".

The current known features of the game are:

• Hard science fiction
  
  
• Lots of engineering.
  
  
• Fully working computer system.
  
  
• Space battles against the AI or other players.
  
  
• Abandoned ships full of loot.
  
  
• Duct tape!
  
  
• Seamlessly landing on planets.
  
  
• Advanced economy system.
  
  
• Random encounters.
  
  
• Mining, trading, and looting.
  
  
• Single and multi player connected via the multiverse.

The game will have some interesting features such as a generator that can be used to power your ship and its machinery. The generator will have a fixed wattage, which will be drained as you hook up machinery to it. This makes it so you will have to balance what machinery is running in the event you want to run high powered machinery such as a cloaking device.

There will also be a fully functional emulated 16 bit CPU, called the DCPU-16, that you can program to perform a variety of tasks. This also means that you will be able to create your own custom programs that will run on this virtual computer so that it affects the game. For those who have knowledge in assembly, Notch has released the full specifications of the DCPU-16 virtual computer.

Below we have gathered various tidbits of information that we have gleaned from Notch's twitter feed.

Single & Multiplayer Gameplay

• Multiplayer will allow multiple people to crew a single ship.
  
  
• There could be a shopping system for DCPU programs and that players could create their own shopping system.
  
  
• The game will be in the perspective of first person inside the ship.
  
  
• Simple graphics.
  
• The proper pronunciation of the game is currently a secret.

DCPU-16 Information

• You can create your own games and software that can be used on the virtual computer while you are waiting for a task to complete.
  
  
• Programs that people make for the DCPU-16 can be traded with other players.
  
  
• For multi-player strategy, players can make malware that can affect other player's computer. There will be no virus software built in to the virtual computers. Players will have to clean the computer or create their own anti-virus programs.
  
  
• The DCPU is only the CPU. Players will have to create their own operating system to run on it.
  
  
• An emulator will be released at some point.
  
  
• Notch states that he is looking into a memory mapped message queue for the I/O on the DCPU.
  
  
• In order to load programs into the computer, you will need to create a loader.
  
  
• There will be floppy disks and radio arrays.
  
  
• Notch is "aiming at 100 khz at the moment, with hardware sprites and scrolling on the display."

Space Travel & Ship

• The plan is to be able to orbit planets and drift if you cut the engines.
  
  
• Duct Tape will be able to fix anything, but for a short period of time compared to more advanced methods.

Aliens

• Its highly unlikely you are going to be able to have intimate encounters with alien races.

If you have any more info about the game, let me know and I will add it to this post. [...]

Microsoft completes operation to seize critical Zeus and Spy Eye co…

Microsoft announced today that it had successfully executed a seizure of command control servers that has caused critical disruption for the Zeus and Spy Eye botnet. The Zeus Trojan is a computer infection that quietly sits on an infected computer while monitoring keystrokes in order to steal banking information. Once banking information is obtained, it transmits the login credentials to the remote cybercriminals who then use that information to transfer the infected user's money to accounts under their control. It is estimated that there are over 13 million computers worldwide, with approximately 3 million in US, are infected with this malware. There are also estimates that over $70 million dollars have been stolen via this malware.

On March 23rd, Microsoft in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), The Electronic Payments Association (NACHA), and Kyrus Tech Inc were escorted by U.S. Marshals to seize control of command & control servers for this banking infection. The servers were located in hosting locations in Scranton, Pa. and Lombard, Ill. This is the second time Microsoft has been involved in a disruption of the Zeus botnet and the first time Microsoft had collaborated with other organizations as part of this take down.

The analysis of these servers will allow Microsoft and its partners to further determine how many and which computers are infected. This information can then be shared with Internet Service Providers and consumer watchdogs to help alerts users that these infections are located on their computer. With information sharing and education, Microsoft hopes to undermine, if not eliminate, the criminal infrastructure behind the Zeus and Spy Eye organization. [...]

NASA Grail beams down pictures of the moon for middle school students

MoonKAM, or Moon Knowledge Acquired by Middle school students, is a new program created by NASA that is dedicated to engaging middle school children in science and engineering. Powered by the twin GRAIL spacecrafts called Ebb and Flow, the MoonKAM program allows students in the 4th grade through the 8th grade to select target areas of the Moon that they would like pictures taken of.

The above image of the surface of the moon, with Earth in the background, was sent by Ebb as part of the first set of images selected by students involved in the MoonKAM program. The first set of images were selected by over 60 students between March 15th-17th and beamed back to earth on March 20th. The honor of the first selection of images was given to Fourth grade students of the Emily Dickinson Elementary School in Bozeman, Mont for winning a national contest to rename the twin spacecraft. [...]