September 2007 Archives

A while ago, I wrote about Spammers using Skype to send unsuspecting users messages that their "copy of Windows needed updating", only to be taken to a page promoting a rogue antispyware tool.

Well, it looks like they've returned, ditching their old usernames (security.monitor.noXX) in favour of

(security.monitor.njXX)

http://blog.spywareguide.com/upload/2007/09/secmonreturns-thumb.jpg
Click to Enlarge

As you can see, there are currently 21 of these accounts in Skype User Search. Do yourself a favour and ignore any messages from these accounts.

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

http://blog.spywareguide.com/upload/2007/09/insidejtworm-thumb.jpg
Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

http://blog.spywareguide.com/upload/2007/09/zipstorage1-thumb.jpg
Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

http://blog.spywareguide.com/upload/2007/09/msnjt_replacement-thumb.jpg
Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Bubbles...For Kids!

| | Comments (1)

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

http://blog.spywareguide.com/upload/2007/09/hiddenfiles-thumb.PNG

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

http://blog.spywareguide.com/upload/2007/09/runescape-thumb.PNG

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

http://blog.spywareguide.com/upload/2007/09/syswinf-thumb.PNG

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

http://blog.spywareguide.com/upload/2007/09/skypemsg-thumb.PNG
Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

How To Rickroll A Browser

|

Paperghost says: OMG
Paperghost says: OMG
Paperghost says: OMG

You have just sent a Nudge!

Gracie says: what
Paperghost says: TRAILER FOR SUPERMAN 2
Gracie says: im watching shaun of the dead
Gracie says: omg what
Paperghost says: [youtube link]
Gracie says: omg i'll watch it in the break
Paperghost says: omG WATCH IT NOW YOU FOOL BEFORE IT GETS PULLED
Paperghost says: ITS BEEN LEAKED
Paperghost says: OH WOW
Paperghost says: BATMABNS INS
Paperghost says: INI IT
Gracie says: WHAT
Paperghost says: TOO EXCITED TO TYPE PROPERLY
Paperghost says: BATMAN
Paperghost says: IS IN IT
Gracie says: WHAT
Paperghost says: BATMAN IS IN SUPERMAN 2!!!!!!
Paperghost says:[youtube link]
Gracie says: OH YOU LIE
Paperghost says: AHAHAHAHA YOU JUST GOT RICKROLL'D

......and that lame example of a Rickroll is all you need to know about the phenomenon. Or, you know, you could just read this then come back. It's okay, I'll wait for you.

.....we all back yet? Okay. There's currently quite a few sites out there pushing Javascript that will give you the mother of all Rickrolls. Yes, it's a good prank and all that. But one man's prank is another man's Death From Above, and with that in mind, anyone unlucky enough to be sent to one of these links will find (to their horror) that their browser resizes, and starts to dance around the screen to the strains of....well, you've probably guessed it...

http://blog.spywareguide.com/upload/2007/09/rickroll1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll3-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll4-thumb.jpg
Click to Enlarge

.....Rick Astley belting out "Never Gonna' Give You Up" as he flies about your desktop in a spinning browser hijack of doom.

But wait, it gets worse. Eventually, the browser stops dancing around the screen (in this case, Firefox, but it works with IE too) and the hapless victim attempts to close the browser before things can get any worse.

Sadly for all concerned, that's precisely when things start to get worse.

http://blog.spywareguide.com/upload/2007/09/rickroll5-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll7-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll8-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/rickroll9-thumb.jpg
Click to Enlarge

Yes, anyone attempting to close the browser will find the creator took the time to insert every line of the song into popup Javascript boxes that flow one after the other like some Rick Astley based lyrical apocalypse. At this point, the only way to break free of the cycle (and start a few years of intensive therapy) is to bring up Task Manager and close the browser down. In Internet Explorer, this isn't too much of a problem - but while testing this in Firefox, occasionally it would break the profile and lock it - meaning you had to create another one.

This is sort of annoying.

With that in mind, always be wary if someone promises you a link to "totally amazing things" and double check the URL - if you happen to see:

internetisseriousbusiness.com
w4rc0rpz.net/images/6fj333t.jpg

...as you hover over the link, then head for the hills. You can of course also disable Javascript to stop this from ruining your day.

Now if you'll excuse me, I have to send my friend a link to Ghostbusters 3...

There's an interesting bit of activity taking place on the Skype network lately. In fact, it seems to have been around for a couple of months in various guises, but things really seem to have taken off recently for this particular scam if the amount of complaints on forums and blogs is anything to go by.

Want to take a look?

Sure you do. If you happen to go searching on the Skype userlist, you might happen to come across something similar to this:

http://blog.spywareguide.com/upload/2007/09/secmon0-thumb.jpg
Click to Enlarge

That's an awful lot of people with the same username - if you happen to be using Skype and minding your own business, you might be surprised to find that the following text message is sent to you:

http://blog.spywareguide.com/upload/2007/09/secmon1-thumb.jpg
Click to Enlarge

As you can see, the message reads:

"WINDOWS REQUIRES IMMEDIATE ATTENTION
============================

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Your system IS affected, download the patch from the address below NOW!"

Anyone clicking the link in the screenshot will actually be taken to a "patch" that (mysteriously) neither looks like a patch or indeed comes for free.

http://blog.spywareguide.com/upload/2007/09/secmon2-thumb.jpg
Click to Enlarge

....oh dear, that doesn't look good...

http://blog.spywareguide.com/upload/2007/09/secmon3-thumb.jpg
Click to Enlarge

That's even worse - because I have three entirely non-existent threats on my PC. However, if I decide to "remove" them....

http://blog.spywareguide.com/upload/2007/09/secmon5-thumb.jpg
Click to Enlarge

....my "patch" suddenly costs $19.95. "Scan & Repair Utilities" is on the Spywarewarrior Rogue Antispyware List. Steer clear of these messages and never download anything sent to you by random contacts, whether on Skype or anything else.

As mentioned on the Official Skype Blog, there is indeed a new worm in the wild - someone, somewhere came up with w32/Ramex.A as a name but I thought "Bubbles" was more appropriate, as you'll see.

Everything starts with a user downloading this file:

http://blog.spywareguide.com/upload/2007/09/skyper1-thumb.jpg
Click to Enlarge

Presented as an imagefile in the infection message, it's actually an .scr file - and no, that's not good.

skyper2.jpg


This file has been compressed to perfection:

http://blog.spywareguide.com/upload/2007/09/skyper6-thumb.jpg
Click to Enlarge

....yep, that's 2k infection file. Yet there's a whole lot of trouble in such a small package:

http://blog.spywareguide.com/upload/2007/09/skyper5-thumb.jpg
Click to Enlarge

...as you can see, the Worm tries to fool you into thinking someone really is on the other end by sending you what looks like fragments of a continuing conversation, finishing with a supposedly accidental sending of an image you're "not supposed to see".

Got to love that social engineering.

Here's a sample of some of the infection messages sent by the worm:

http://blog.spywareguide.com/upload/2007/09/skyper3-thumb.jpg
Click to Enlarge


But why did we call it "bubbles"? Easy, this is what you see when you attempt to open the .scr for the first time:

http://blog.spywareguide.com/upload/2007/09/skyper4-thumb.jpg
Click to Enlarge

Apparently, not everyone sees the bubbles when they run this file. I bet they really feel like they're missing out...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

There seems to be a new MSN Virus doing the rounds, in the (now common) guise of a .zip file which (of course) harbours a malicious executable.

In this case, the .zip file has a handily recognisable name:

tanya2.jpg

Check out what happens to your PC if you run the file:

http://blog.spywareguide.com/upload/2007/09/tanya6-thumb.jpg
Click to Enlarge

The machine is pretty much buried under a 100% CPU load - if you ever wanted to experience Bullet Time, here it is minus the backflips and machine guns. Here's an example of the kind of messages you can expect to be sent from an infected user:

http://blog.spywareguide.com/upload/2007/09/tanya8-thumb.jpg
Click to Enlarge

With regards spread, it seems to be fairly low at the moment. The handful of infections we've seen so far include a number of forum-goers in Singapore and Japan, and a handful of people asking for help in Italian. The messages sent via the infection file seem to be fairly limited, and include:

"Who is this girl?"

"Do you remember this girl? I can't believe she took this pic..do you know her?"

"Who is this girl? She said she likes you :D"


We detect this (unsurprisingly enough) as TanyaBabe.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Deepak Setty, Senior Threat Researcher
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Just had a tip off from a contact on Myspace - they were sending a Bulletin to their friends and as soon as they hit the "send" button, they were directed to a System Doctor "scare tactics" page:

http://blog.spywareguide.com/upload/2007/09/myspace_doctor-thumb.jpg
Click to Enlarge

If you see this, ignore the nag screens and click out of the popup loop. It'll take a couple of goes, but you should escape eventually.

http://blog.spywareguide.com/upload/2007/09/skinner1-thumb.jpg
Click to Enlarge

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.

skinner3.jpg

...looks innocent enough so far, but things are about to get messy.

http://blog.spywareguide.com/upload/2007/09/skinner5-thumb.jpg
Click to Enlarge

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.

Namely:

1. USE OF THE SOFTWARE

1.1.MessengerSkinner, a Freeware application, offers a button which allow you to add funny emoticons and other things to MSN Messenger (R) 7.0, 7.5 and Windows Live Messenger (R).

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (?Component?). When the User is connected to the Internet the Component will make periodic connections to the Provider?s servers in order to check that there are no problems in the access network or the User?s Computer. If any error which prevents the normal use of the Software is detected in the User?s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User?s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User?s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting ?Access Connection? and ?Component Add-On? respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider?s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User?s Computer to, and will receive information and requests for these purposes from, the Provider?s servers. The data sent to the Provider?s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider?s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider?s servers; this information will be processed within the User?s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

http://blog.spywareguide.com/upload/2007/09/skinner12-thumb.jpg
Click to Enlarge

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

http://blog.spywareguide.com/upload/2007/09/skinnerend-thumb.jpg
Click to Enlarge

.....and, from another testbox, something like this:

skinner14.jpg


skinner15.jpg

....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

http://blog.spywareguide.com/upload/2007/09/skinner11-thumb.jpg
Click to Enlarge

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:
http://www.pc-on-internet.com/uninstall
"

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

http://blog.spywareguide.com/upload/2007/09/skinner7-thumb.jpg
Click to Enlarge

The Terms and Conditions Page:

http://blog.spywareguide.com/upload/2007/09/skinner8-thumb.jpg
Click to Enlarge

The Privacy Policy Page:

http://blog.spywareguide.com/upload/2007/09/skinner9-thumb.jpg
Click to Enlarge

....WHAAAAAAAAAAAAAAA?

That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

http://blog.spywareguide.com/upload/2007/09/skinner17-thumb.jpg
Click to Enlarge

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:

skinner18.jpg

Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

http://blog.spywareguide.com/upload/2007/09/promo_expired-thumb.JPG
Click to Enlarge

Even better, both Panda and Prevx flag the uninstaller as suspicious:

skinner19.jpg

And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

http://blog.spywareguide.com/upload/2007/09/skinner20-thumb.jpg
Click to Enlarge

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Time To Go

| | Comments (0)
http://blog.spywareguide.com/upload/2007/09/bye_to_sing-thumb.jpg
Click to Enlarge

Well, it's never good when you have to hang around in the airport for four hours until your plane can leave, but free Internet access in the terminal and the genius that is Changi Airport sorted that out.

Why genius?

Well, you know all the messing about you have at airports - the check in, the passport waving and (worst of all) the ENDLESS DELAYS caused by funneling the entire airport through those stupid X-Ray scanners and pat-me-downs and all the rest of it?

Not here.

You go to the "leave here" bit, show your passport and you are INSTANTLY in duty free.

But wait, I hear you cry, how can you be in duty free without the security checks? Surely you could just take any old thing onto the planes, security hazard etc etc.

Well, no. See, if you want to buy something and take it on the plane (like a bottle or whatever), you simply ask at the counter and they put it in special "airport approved" bags.

So, where are the security checks?

Oh, easy. You just hang around wherever you like until an hour before your flight leaves, and then go to the glass-encased departure lounge for your flight. They have the pat-down, the X-Ray machine and the security scanner inside your departure lounge, so you only go through the checks with the other people from your flight INSTEAD of the entire airport.

Which is, you know, genius.

I love this place.

Anyway, enough from me. You can see (most) of my photographs from the Singapore trip here. For the purposes of this blog entry, I'm now going to pretend I'm just getting on the plane instead of having already been home for something like a week and a half. Decompression, you gotta' love it.

Food Ahoy

| | Comments (0)
http://blog.spywareguide.com/upload/2007/09/fplace1-thumb.jpg
Click to Enlarge

Not that I have any particular obsession for food, but, you know.....food is awesome.

http://blog.spywareguide.com/upload/2007/09/fplace2-thumb.jpg
Click to Enlarge

....nope, I have absolutely no idea what I'm doing. Uh.....something in a bowl, please.

http://blog.spywareguide.com/upload/2007/09/fplace3-thumb.jpg
Click to Enlarge


http://blog.spywareguide.com/upload/2007/09/fplace4-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/09/fplace6-thumb.jpg

Click to Enlarge

...wait, didn't I order noodles? I'm pretty sure they're not noo - uh - never mind.

http://blog.spywareguide.com/upload/2007/09/fplace5-thumb.jpg
Click to Enlarge

...best strips-of-pork-in-a-broth-of-something-or-other I ever had.

Singapore: Time To Talk

| | Comments (0)
http://blog.spywareguide.com/upload/2007/08/singpre1-thumb.jpg
Click to Enlarge

See that building in the middle? No, not that one, the other one. Yeah, there you go. That's Copthorne Kings, where we'd be doing our talky-conference thing for a whole bunch of people. Unfortunately on the morning of the presentation I was dropped off on the other side of a particularly nasty dual carriageway at the wrong hotel. Much Run Lola Run style hilarity ensued as I has to seek out an overpass and leg it to the right hotel with minutes to go.

Eventually I ran into the right lobby to be greeted by this:

http://blog.spywareguide.com/upload/2007/08/singpre2-thumb.jpg
Click to Enlarge

....which was a bit more promising than the entirely blank stares handed to me by the dudes in the wrong hotel. (You'll notice that, rushed as I was, I still had time to take a picture. That's because there is always time to take a picture). A quick dive into the elevator and....

http://blog.spywareguide.com/upload/2007/08/sing8-thumb.jpg
Click to Enlarge

...I'm making my excuses and entering, which is odd because it's usually the other way round. Oh well. Before I knew it, the organiser had dispensed with his incredibly brief introduction and it was on with the show.

http://blog.spywareguide.com/upload/2007/08/sing1-thumb.jpg
Click to Enlarge

There were a number of talks on the day, the majority of which focused on presenting the audience with various kinds of solutions with regards the Enterprise environment. Honestly, it wasn't as dry as it sounds and this guy in particular:

http://blog.spywareguide.com/upload/2007/08/sing9-thumb.jpg
Click to Enlarge

...was incredibly funny and entertaining. I thought people might take this side of things a little too seriously based on previous experiences of more "corporate" events but it was quite loose and relaxed. Always a good thing, if you ask me. And I know you are.

http://blog.spywareguide.com/upload/2007/08/sing21-thumb.jpg
Click to Enlarge

The majority of my talk focused on the methods used to hunt down YoGangsta50 and "chase him offline". We also looked at a variety of hacks, cracks and exploits from around the World. In some of the other talks, the focus seemed to be on Phishing which is really taking off here in a big way - sadly I couldn't get hold of any other presentation slides, but there were some really clever examples.

Of course, the talks here focused on Enterprise and business use. My feeling is that, for the regular users, its business as usual with regards having to avoid the nasty stuff. Here's a perfect example, right?

Anyway, the conference finally came to a close and the general opinion was that it was a worthwhile event. I had a great time and would like to thank everyone involved in making the whole thing happen, and making sure I didn't get lost and fall in a river or something.

Till next time, Singapore...

Sometimes, it's impossible to know where an investigation will take you. And though your initial focus might change somewhat, every now and again the focus will change so dramatically that what you end up with is nothing like what you were expecting.

This is one of those occasions.

A few days back, someone posted a link on the Spywarewarrior.com forum, asking if it was a "list of hijacked Emails". It definitely looked suspicious, so with that, off I went to have a look around.

http://blog.spywareguide.com/upload/2007/09/spbl6-thumb.jpg
Click to Enlarge

....okay, hundreds of Email addresses with names and no other information provided. Not a lot to go on. However, a quick Directory jump back and....

http://blog.spywareguide.com/upload/2007/09/spbl1-thumb.jpg
Click to Enlarge

Eight sets of files containing thousands upon thousands of Email Addresses.

Not just Email addresses, either. Depending on the document opened, you might find yourself looking at a collection of EMail addresses, full name, postal address, IP address and time / date they submitted their form / mail to whatever website they happened to be on at the time (yes, the websites were listed too). Though we've blanked a lot out, the following screenshot will still give you an idea of how much data is up for grabs (note the scrollbar at the side of the screen is only halfway through this particular page):

http://blog.spywareguide.com/upload/2007/09/spbl8-thumb.jpg
Click to Enlarge

...ouch?

The majority of the websites listed are down, but you can probably guess the content - possible prizes in exchange for your Mail Address (and possibly other information) being used in opt-in databases for "promotional purposes", anyone? Yeah, I'd think that was a good bet. There's nothing wrong with genuine opt-in....but something has gone seriously wrong here, and the potential for things to get out of hand very quickly will soon be seen.

Googling one of the domains flagged up an interesting thread on a popular Adult Webmaster forum, gfy.com:

http://blog.spywareguide.com/upload/2007/09/spbl115-thumb.jpg
Click to Enlarge

Quote time:

"What I am offering is 150-200k Daily Emails - 4-6 Mil Unique Monthly Emails
Full Data Included. name,email,address,ip,time,date,source etc

Price is 2.5k Monthly and we also accept Weekly payments as well"

Now, at this point, everything is likely to be legit; everyone has opted in; the data is only going to be sold to "a maximum of three people".

The problem is, once you submit your details to anything online, it doesn't take long for that information to wind up in all sorts of strange places you couldn't possibly have imagined (the seller probably didn't see this coming, either). Over the course of a year or two....wow. As proof of this "wow", check out the below shot taken from another directory of the website we were looking at earlier:

http://blog.spywareguide.com/upload/2007/09/spbl114-thumb.jpg
Click to Enlarge

....."hacked pages"? "IP Scan"? "IE Exploit"? I'd hate to be the Master of the Obvious and claim my Spidey Sense is tingling, but let's have a look at some of the items in the folders. Kicking things off with "Hacked pages", we immediately discover some cool and funky things about our targets:

http://blog.spywareguide.com/upload/2007/09/spbl4-thumb.jpg
Click to Enlarge

Ah! Viva la Group Louz O MNIN Ndouz Room Pal! (Or was it "Le"? I never was fantastic with French). I guess at this point you'll be wanting to see an example of their handywork, right? Oh, okay then. Here's a hacked page of theirs from sometime around July:

http://blog.spywareguide.com/upload/2007/09/spbl111-thumb.jpg
Click to Enlarge

....yeah, that's not the most dazzling hacked page ever, is it? Kids just don't put the effort in these days. However, things are about to get a little more interesting (because one solitary page hacked does not a leet hax0r make). Let's take a look at the "IE Exploiter", because this is the unexpected gold that sends this entire investigation somewhere else entirely:

spbl10.jpg


spbl11.jpg

Running the tool creates a page of HTML and deposits it on your desktop. That HTML mentions a file called "Bl4ck". Haven't I seen that somewhere before?

Yep, right here in August 2006.

http://blog.spywareguide.com/upload/2007/09/bl4ck2-thumb.jpg
Click to Enlarge

Put simply, you run the tool, generate your HTML and edit it (and your EXE as appropriate, or stick with the "Bl4ck" file (and keep the optional .WAV file too!) - the core of this attack appears to be this exploit. For those interested, the default hacked page will look like this:

http://blog.spywareguide.com/upload/2007/09/spbl24-thumb.jpg
Click to Enlarge

...plain, but it gets the job done I suppose. Because you can use whatever EXE you want with this thing, there's plenty of potential for Internet badness. Here's a forum post complaining of the same exploit in October 2006 - it seems the file in that instance tries to send Spam mail. Now we can see why the guy with the Email lists would want to keep hold of a tool like that. Here's another example of a banking trojan being dropped in the same way.

But wait, we're not done yet. I recognise some of those usernames listed on the IE Exploiter tool. A few of them tied in directly with the investigations into the Q8 Army hacks from 2005/06. IM Rootkits, fake BitTorrent clients and Mr Bean videos being pushed via the BitTorrent installs (no, we never found out what the deal was with Mr Bean).

Focus on Sniper_SA, mentioned in the "Greetz" section of the program. He's responsible for the hack above featuring The Terminator (in that case, pushing the default "Bl4ck" file) but a lot more website hacks besides. Check these out:

http://blog.spywareguide.com/upload/2007/09/sahax1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax3-thumb.jpg
Click to Enlarge

A lot of digging around later, and I finally stumble across this website (note the fake MSN Chatbox window in the bottom left hand corner - top tip, never click these):

http://blog.spywareguide.com/upload/2007/09/sahax4-thumb.jpg
Click to Enlarge

From there, it's only a quick jump over to Snipers' forum:

http://blog.spywareguide.com/upload/2007/09/sahax5-thumb.jpg
Click to Enlarge

On the main page, there's a huge list of members - many of whom are either well known for their hacking exploits or (again) had their usernames come up repeatedly during the Q8 Army investigation. Here's a small selection:

http://blog.spywareguide.com/upload/2007/09/sahax9-thumb.jpg
Click to Enlarge

....that's a pretty big collection of leet hax0rs. After wading through those for a while, I eventually came across someone posting on a number of forums who would post up hacks, cracks, virus writing techniques and more besides....the majority of the posts always giving the Email address of the IE Exploiter tool creator in his examples. It's a fairly safe bet they're one and the same person, but what really broke my brain was his avatar:

http://blog.spywareguide.com/upload/2007/09/sahax10-thumb.jpg
Click to Enlarge

....Please, tell me you see it too.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Threat Researcher

About this Archive

This page is an archive of entries from September 2007 listed from newest to oldest.

August 2007 is the previous archive.

October 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.