May 2007 Archives

Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...


...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:
Click to Enlarge

Allow the file to "access Skype", and your contacts will see the below:
Click to Enlarge

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:


...and here it is sending an infection message via MSN Messenger:


The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer

Here's an interesting roundup of unrelated Chinese oddities for you to get your teeth into. First off, let's look at something that redirects you, you'll see.....


From this file leaps great things - or at least, a bizarrely named hijack:
Click to Enlarge

That's right, your IE homepage is hijacked (Beta!) and restrictions are placed in the IE settings so you can't change it back easily. The site itself is a typical Chinese multimedia website, with an endless collection of videos and flash animations:
Click to Enlarge

...yeah, makes no sense to me either. So there we have it, short, sweet and, er, odd.

Next up, something that I came across while looking for something else - sadly, the main site this stuff launches from is apparently dead but that doesn't mean we can't take a look at it:


...well, we all like sweets, right? If you run the executable, you'll see what is presumably a EULA:
Click to Enlarge

Of course, I have no idea what it says but let's press on anyway:
Click to Enlarge

I can't be sure, but it looks like some sort of media player. Another offering from the same people gives us a (very limited) web browser:
Click to Enlarge

...again, with the main site down it doesn't currently do much other than sit there and look nice. However, thanks to the wonderful Internet Archive, we can go back and have a look at the main site:
Click to Enlarge, it looks like a good bet that both of these applications were simply there to serve up the movies and videos from that website. If the site ever comes back online, we might be able to get a firm answer and wrap everything up in a neat little bow or something...

Here's a weird one - there are hints and suggestions that some sort of advertising mechanism is in place, but with the program being from Korea it's vaguely tricky to know exactly what is going on. Let's take a look anyway...
Click to Enlarge

Of course, the site is in Korean and the EULA isn't exactly easy to understand which doesn't really help:
Click to Enlarge

In fact, the installer is so fiddly it took a good five minutes to work out what buttons to press to get it to run in the first place! After everything is up and running on the PC, this is what we're left with:


...and now, it's time to run this thing and see what it does! An icon is dumped onto your Taskbar and into IE itself, and when you click either you see this:
Click to Enlarge

......yeah, I have no clue either. If you click into the other tab, things look a little more useful:
Click to Enlarge

From the looks of it, one of the primary functions of this program is to store basic "notes" about the sites you visit in the interface. Beyond that, I have no idea if you can do more with the data you input, or if the program has any other "features". Here's where it gets interesting - from the translated page:

To case of the keyword which the user does not register with the site which generally is useful movement
- Ex) Seoul watching -> and pcfree ->
- -> With www automatic conversion function.
- In compliance with the malignant cord or other Hangul (Korean alphabet) keyword program the function which intercepts the part which is rightly connected with an advertisement characteristic site in the dictionary.
- The user wants search engine configuration feature.
- Up-to-date version connection (DirectConnector) it maintains rightly the automatic update function for. (Default)

Allowing for a hopeless translation, this is effectively saying it grabs keywords and relates them to advertisements in the "dictionary". Of course, I don't know what "dictionary" they speak of. Built in word-list to pop relevant adverts? Or something else altogether? Who knows, but I couldn't get it to pop anything while running it so a final decision on this thing is still pending.

...don't you just hate it when that happens?

Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Chris Mannon, FSL Senior Threat Researcher

Skype Phish?


After hearing a few reports of Skype Phishing these past few days, one of my colleagues happened to come across the below site:
Click to Enlarge

Two excellent articles you really should read:

"Scammers gaming YouTube ratings for profit"

You'll never look at a can of Iron-Bru in the same way again...

"Spyware hunter probes larger market flaws"

A nice insight into the world of Ben Edelman (check out the pictures to see his triple-monitor-of-doom!)

You might have seen a recent flurry of USB Worms in the news - well, one of our researchers found what appears to be a variant targeting (as you might have guessed from the title) Firefox, Orkut and YouTube.

How does this happen? For starters, if you have the infection file on your computer (before activation) it'll probably look something like this:


Not too bad yet, right? Well, if you're unfortunate to double click the thing and run it (of course, in a non-testing environment this would spread automatically via USB shares) your day will take a turn for the worse. Attempt to use Firefox, and you'll see this (along with an MP3 of someone laughing at you playing in the background):
Click to Enlarge

"Use Internet Explorer you dope - I don't hate Mozilla but use IE or else"

At this point, you can't use the browser and it closes automatically on you.

Jumping over to IE, if you attempt to get to the Orkut website....
Click to Enlarge


The "fun" doesn't end here, however - because whoever made this apparently isn't too keen on you visiting the YouTube website either:
Click to Enlarge

Of course, the people behind the infection files can deny an infected user access to whatever sites they feel like - in that sense, it's not that different from putting a website into your HOSTS file. For whatever reason, this individual felt the need to vent their spleen at YouTube and Orkut and blocked them via the infection file. Needless to say, this spreads the same way the first wave of USB infections did (an Autorun.inf file):
Click to Enlarge

Finally, it's worth noting that some of these files are designed so that the .EXE looks like a folder on your desktop:


You'd be surprised how many people fall for that. I've also written about this elsewhere, and if you'd like to see the hijack in action (and hear the wonderful laughter that plays when you try to use Firefox, Orkut or YouTube) then click here.

Write up: Christopher Boyd, Director of Malware Research
Research and Discovery: Manoj V, Malware Threat Researcher

TV Hacking...

| | Comments (0)

From Taipei Times

The signal of a government-run television station in southern China was hijacked by alleged hackers who used the frequencies to broadcast anti-government content, press reports said yesterday...during the blackout, anti-government images lasting up to 40 seconds appeared on television screens in Guangzhou, the provincial capital of China's economically booming region of Guangdong, the report said.

If memory serves me right, there have been numerous incidents of people hacking roadside information displays in the past but they usually carried humorous messages and insults. Hacking a TV channel in China to push Anti-Government messages is pretty hardcore.

We recently came across two Chinese hijacks (one weighing in at around 30MB, the other at 15MB) that can completely destroy your PC. The files that arrive seem to be a little bit random, but a good number of them have the potential to send your CPU usage through the roof and keep it there until your PC keels over. With a whole bunch of them installing at the same time, blue screens and repeated crashes are the order of the day. I briefly mentioned this thing here - well, consider this writeup a sample of the kind of things you can expect if unfortunate enough to be hit by this thing. It goes without saying that there's spyware, adware, malware, rootkits and pretty much everything else you can think of in this payload - in fact, feast your eyes on a sample of some of the files installed:
Click to Enlarge

I'm sure you'll agree, that's one seriously big pile of stuff.

Normally, I'd walk you through an install step-by-step, but in this case there's not much point. When the install starts, your desktop pretty much freezes and the only way to see what's on there is reboot, hope it doesn't crash and start digging (with the CPU at 100% all the way, of course). Doesn't sound pleasant, and it most certainly isn't. With that in mind, here's a more-random-than-usual selection of screenshots from both hijacks...
Click to Enlarge

This isn't going to be good, is it? Here's another random error from the pile:


There were quite a lot of errors generated, as it turned out. When I wasn't looking at error screens, I was beaten down with prompts to install all kinds of things. The below installer prompt wants to install a Toolbar onto the computer:
Click to Enlarge

...and for completeness, here's the inevitable shot of the Toolbar:


I'm guessing you want to see a shot of the Task Manager at this point, yes?
Click to Enlarge

You can see the PC is already at 100% CPU usage, and half the things on there are already "not responding".
Click to Enlarge

You can see a nice selection of browser windows open here, stuffed with rotating adverts (both Firefox and Internet Explorer).


Nope, I have absolutely no idea what I'm being asked either.

Most of the files don't produce any visuals - only a few pop adverts, the rest run silently and kill your machine. However, the other hijack installer (that eventually sucks down roughly 15MB or so of files) was calling a lot of the same stuff and popping the same adverts. For starters, that Toolbar appeared in both bundles. Well, we ran that one (thinking a game of compare and contrast would be fun) and sure enough....
Click to Enlarge

More popups! More silent files that flood your Task Manager and kill off your PC!
Click to Enlarge

The above is an installer prompt for a program we've covered before. Don't worry, you'll see what it is in the next screenshot...
Click to Enlarge

Here, you can see something called "Disk Free" - I'd like to tell you if it's any good or not, screens etc. Note the bottom right hand corner - that's our old pal Coopen, the desktop-picture changing marvel (come on, you don't think I selected that picture myself, do you?)

While we're on the subject of old friends, remember the CNNIC? Sure you do. I didn't know they had some kind of Messenger program, though:


I found that image along with a bunch of files, though the Messenger itself didn't appear to want to work. Shame.

As I've already mentioned, this second install is a little lighter on the CPU than the first, so it was possible to follow (most) of the install in one go. Imagine my surprise, then, when the following made itself known....
Click to Enlarge

Kubao is some sort of IM / P2P Messaging system, and (as far as I can tell) works a little like Skype...
Click to Enlarge
Click to Enlarge

Click to Enlarge

You wouldn't believe how long it took me to create an account and log into the thing, but there's a screenshot of it in action anyway.
Click to Enlarge

...oh, and here's some weirdo Anime RPG game apparently populated with volleyball players or something.

As you may have noticed, neither of these hijacks are things you'd probably want to have on your computer. There seems to be a vague hint of moneymaking involved, but whoever put these things together wasn't thinking straight when they decided how many individual files to install onto the PC. There's an art to concocting a hijack that doesn't kill the PC, and these guys were presumably absent from Hijacker School that day. In terms of bandwidth used to perform these installs, the particularly brutal way your PC is taken over and the complete disregard as to whether or not the thing actually functions properly afterwards, I'd have to rate these as two of the worst computer beatdowns I've yet encountered.

The "brave new world" of Chinese Malware hijacks is truly upon us. I'm just not quite sure we're ready for it...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

About this Archive

This page is an archive of entries from May 2007 listed from newest to oldest.

April 2007 is the previous archive.

June 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.