Ever wondered exactly how people who enjoy putting malicious files into the wide blue yonder ensure their bundles of joy are as attractive as possible to those who would happily download them?

Well, I came across this program today and thought it was worth looking into. It dips into what's hot and current in the world of free downloads then uses that to ensnare as many potential victims as possible.

How do they do it?

"Block Checkers" are those wonderful scam sites that claim to be able to show you who has you down as "blocked" on your favourite IM application. They've been around for a while, but always take the form of a website that you enter your details on. Once you've entered your login, you can expect to see your IM account sending lots of spam for viagra (along with adverts for the block checker site you used) to all of your contacts.

It's a rather spectacular way to lose all your friends on Instant Messaging (and quickly answers the question of "Who is blocking you". Answer: everybody).

Well, some wily individual has taken inspiration from the static webpages and come up with a Block Checker in the form of an executable file. However, this one has somewhat more sinister intentions than spamming links to a useless block check website with the occasional advert for a genuine rolex watch.

Shall we take a look?

You might want to keep an eye on your honesty levels over the next few weeks where Facebook is concerned - sometimes trying to find out more than you're entitled to will bite you on the backside as we're about to see.

You may or may not be familiar with the "Honesty Box" application on Facebook - like similar features on Myspace etc, it allows people to leave entirely anonymous messages on your Facebook page to the tune of "I love you" or "You're a big stinky head" leading to hours of fun for all the family.

It seems a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, promising to "reveal all" with regards who called them an idiot at 2 in the morning:



The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger / Trojan / Virus of the attackers choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you.


 This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attacted by the lure of "really secret stuff".

Avoid!

Not so long ago, I wrote about "Google are hiring" spammers on Twitter, and how they were apparently using "Twitter like" bird images as their avatar - one would think to make themselves look a little more "official" than someone with a "buy stuff now" image which would be a clear clue to a spammer.

I said "There's a lot of these profiles around at the moment - ignore / block the lot of them and hope Twitter gets a grip on this fresh wave of spammers..."

At the time, I thought it was obvious that I was refering to blocking them based on their message content (as opposed the images they used, however funky or generic they may be) but it seems I should have been clearer and now someone is a little grumpy about it.

It was later pointed out that the images were the new default images for Twitter profiles without an avatar - due to an error with the comments moderation, the two comments posted to that (along with a bunch of others) were lost to the void and only recently reclaimed.

No problem, article updated.

However, there's this blog entry still to address (written six days after a comment was made from a poster whose submission went AWOL) and I don't think she's very happy with me:

"I have friends with these new bird avatars and I can attest to the fact that they are not spammers. They do not deserve to be blocked and treated as if they are. They have done nothing wrong."

The image change was something I noted about the spam accounts; however, I thought the rather large clue as to who to block was in the screenshot and article title: namely, accounts spamming "Google are hiring".



After all, why would you block a friend if they weren't physically sending "Google are hiring" spam given that was what the spam accounts were sending? It seems faintly ludicrous to think someone would mentally disassociate the content from the ultimate decision to block communications based purely on me mentioning the image changes, but there you go. I'll try to be clearer next time, and I guess I'll place the award on the mantelpiece...

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

(Huge thanks to Baz of Malwarecrawler.com, who provided the Vkontakte.ru screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:


It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:



Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile

This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like: http://vkontakte.ru/id******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>

Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.


"ahahahaha!!! s*it!! I got access to your profile via vkon-fire.msk.ru"

Pretty smart.

What do the files do?


Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile (...you know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:


Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:


Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:


"Activate"? Whatever does it activate, I hear you cry? Well...


...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.

If you still don't have a Google Wave invite, you may want to be aware of the following while trying everything you can to obtain one.

We're seeing quite a few programs being circulated in relation to Google Wave at the moment - some originate from script kiddy forums, others hail from parts unknown.

In both cases, these programs all claim to automatically generate a Google Wave invite.

Here's an example of one such program lurching out of a leet hax site that's already flagging up on Virustotal with a low detection rate; very nice it looks too, lifting the content from this page here.


Click to Enlarge

Of more concern, however, is something that's been popping up on numerous forums over the last week or two in the form of what is likely XRumer assisted spamming. In each case, this person pops up on a site and claims to have been a longtime user, before offering up a program that will (of course) double up as a means of making some quick money while giving you all the Google Wave invites you could possibly want:


Click to Enlarge

Humorously - or not, as the case may be - the spammer hasn't quite got the hang of this yet because if you look at the supposedly reassuring "Virus scan" results they managed to leave in scan results that claim the file is infected!

Whoops. Anyway, the download location looks even more suspicious when you're taken to a site that contains text files of the forum spam listed above, spam related keywords and an XRumer instruction manual.



Fire up the program, and you're presented with this:


Click to Enlarge

Note that it asks for an email address and password, which is highly dubious - worst case scenario, end users could unthinkingly send a current email / password combination into the wide blue yonder with no idea who is at the other end. Should you hit the "Generate Invite" button, the program promptly crashes...a favourite ploy of programs that claim to give you the Earth and everthing in it, but suffer a last minute technical hitch while they get up to mischief in the background.

Should you take a quick look at the real VirusTotal scan results, it's clear there are some strange things afoot with 12 out of 41 security vendors detecting this program as a threat.


Click to Enlarge

While I haven't had nearly as much time examining this file as I'd like, all of the above is more than enough to have me strongly advise against downloading / running this program - or indeed, any of the tools currently in circulation claiming to get you quick access to Google Wave.

Patience is most definitely a virtue, and it might just be a PC saver too...