Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Singworm Spreading in Singapore / Hong Kong Via MSN Messenger | Main | Singapore: Time To Talk »

  • Compromised Emails Lead To IE Exploiter Tool

Sometimes, it's impossible to know where an investigation will take you. And though your initial focus might change somewhat, every now and again the focus will change so dramatically that what you end up with is nothing like what you were expecting.

This is one of those occasions.

A few days back, someone posted a link on the Spywarewarrior.com forum, asking if it was a "list of hijacked Emails". It definitely looked suspicious, so with that, off I went to have a look around.

http://blog.spywareguide.com/upload/2007/09/spbl6-thumb.jpg
Click to Enlarge

....okay, hundreds of Email addresses with names and no other information provided. Not a lot to go on. However, a quick Directory jump back and....

http://blog.spywareguide.com/upload/2007/09/spbl1-thumb.jpg
Click to Enlarge

Eight sets of files containing thousands upon thousands of Email Addresses.

Not just Email addresses, either. Depending on the document opened, you might find yourself looking at a collection of EMail addresses, full name, postal address, IP address and time / date they submitted their form / mail to whatever website they happened to be on at the time (yes, the websites were listed too). Though we've blanked a lot out, the following screenshot will still give you an idea of how much data is up for grabs (note the scrollbar at the side of the screen is only halfway through this particular page):

http://blog.spywareguide.com/upload/2007/09/spbl8-thumb.jpg
Click to Enlarge

...ouch?

The majority of the websites listed are down, but you can probably guess the content - possible prizes in exchange for your Mail Address (and possibly other information) being used in opt-in databases for "promotional purposes", anyone? Yeah, I'd think that was a good bet. There's nothing wrong with genuine opt-in....but something has gone seriously wrong here, and the potential for things to get out of hand very quickly will soon be seen.

Googling one of the domains flagged up an interesting thread on a popular Adult Webmaster forum, gfy.com:

http://blog.spywareguide.com/upload/2007/09/spbl115-thumb.jpg
Click to Enlarge

Quote time:

"What I am offering is 150-200k Daily Emails - 4-6 Mil Unique Monthly Emails
Full Data Included. name,email,address,ip,time,date,source etc

Price is 2.5k Monthly and we also accept Weekly payments as well"

Now, at this point, everything is likely to be legit; everyone has opted in; the data is only going to be sold to "a maximum of three people".

The problem is, once you submit your details to anything online, it doesn't take long for that information to wind up in all sorts of strange places you couldn't possibly have imagined (the seller probably didn't see this coming, either). Over the course of a year or two....wow. As proof of this "wow", check out the below shot taken from another directory of the website we were looking at earlier:

http://blog.spywareguide.com/upload/2007/09/spbl114-thumb.jpg
Click to Enlarge

....."hacked pages"? "IP Scan"? "IE Exploit"? I'd hate to be the Master of the Obvious and claim my Spidey Sense is tingling, but let's have a look at some of the items in the folders. Kicking things off with "Hacked pages", we immediately discover some cool and funky things about our targets:

http://blog.spywareguide.com/upload/2007/09/spbl4-thumb.jpg
Click to Enlarge

Ah! Viva la Group Louz O MNIN Ndouz Room Pal! (Or was it "Le"? I never was fantastic with French). I guess at this point you'll be wanting to see an example of their handywork, right? Oh, okay then. Here's a hacked page of theirs from sometime around July:

http://blog.spywareguide.com/upload/2007/09/spbl111-thumb.jpg
Click to Enlarge

....yeah, that's not the most dazzling hacked page ever, is it? Kids just don't put the effort in these days. However, things are about to get a little more interesting (because one solitary page hacked does not a leet hax0r make). Let's take a look at the "IE Exploiter", because this is the unexpected gold that sends this entire investigation somewhere else entirely:

spbl10.jpg


spbl11.jpg

Running the tool creates a page of HTML and deposits it on your desktop. That HTML mentions a file called "Bl4ck". Haven't I seen that somewhere before?

Yep, right here in August 2006.

http://blog.spywareguide.com/upload/2007/09/bl4ck2-thumb.jpg
Click to Enlarge

Put simply, you run the tool, generate your HTML and edit it (and your EXE as appropriate, or stick with the "Bl4ck" file (and keep the optional .WAV file too!) - the core of this attack appears to be this exploit. For those interested, the default hacked page will look like this:

http://blog.spywareguide.com/upload/2007/09/spbl24-thumb.jpg
Click to Enlarge

...plain, but it gets the job done I suppose. Because you can use whatever EXE you want with this thing, there's plenty of potential for Internet badness. Here's a forum post complaining of the same exploit in October 2006 - it seems the file in that instance tries to send Spam mail. Now we can see why the guy with the Email lists would want to keep hold of a tool like that. Here's another example of a banking trojan being dropped in the same way.

But wait, we're not done yet. I recognise some of those usernames listed on the IE Exploiter tool. A few of them tied in directly with the investigations into the Q8 Army hacks from 2005/06. IM Rootkits, fake BitTorrent clients and Mr Bean videos being pushed via the BitTorrent installs (no, we never found out what the deal was with Mr Bean).

Focus on Sniper_SA, mentioned in the "Greetz" section of the program. He's responsible for the hack above featuring The Terminator (in that case, pushing the default "Bl4ck" file) but a lot more website hacks besides. Check these out:

http://blog.spywareguide.com/upload/2007/09/sahax1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax3-thumb.jpg
Click to Enlarge

A lot of digging around later, and I finally stumble across this website (note the fake MSN Chatbox window in the bottom left hand corner - top tip, never click these):

http://blog.spywareguide.com/upload/2007/09/sahax4-thumb.jpg
Click to Enlarge

From there, it's only a quick jump over to Snipers' forum:

http://blog.spywareguide.com/upload/2007/09/sahax5-thumb.jpg
Click to Enlarge

On the main page, there's a huge list of members - many of whom are either well known for their hacking exploits or (again) had their usernames come up repeatedly during the Q8 Army investigation. Here's a small selection:

http://blog.spywareguide.com/upload/2007/09/sahax9-thumb.jpg
Click to Enlarge

....that's a pretty big collection of leet hax0rs. After wading through those for a while, I eventually came across someone posting on a number of forums who would post up hacks, cracks, virus writing techniques and more besides....the majority of the posts always giving the Email address of the IE Exploiter tool creator in his examples. It's a fairly safe bet they're one and the same person, but what really broke my brain was his avatar:

http://blog.spywareguide.com/upload/2007/09/sahax10-thumb.jpg
Click to Enlarge

....Please, tell me you see it too.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Threat Researcher

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/207

Listed below are links to weblogs that reference Compromised Emails Lead To IE Exploiter Tool:

» florida boat insurance from florida boat insurance
Belgian?Freeport scaled vanishes [Read More]

» equitable life assurance philadelphia pa from equitable life assurance philadelphia pa
osteopathic campaign!degrade viciousness truck, [Read More]

» royal circus casino online from royal circus casino online
performed Kentucky balsam incomprehensibly [Read More]

» Tramadol. from Tramadol.
Tramadol. [Read More]


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.