November 2007 Archives

NextDoor Worm Spreads across MSN

| | Comments (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment. contains

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.
The file with the ominous looking icon is the dialer that is installed by this worm.
The actual MSN worm is stored in the Windows Directory.
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

To get an idea of how recently this worm was updated...
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Hotmail / EBay Follow Up

| | Comments (0)

Earlier today I posted this regarding compromised EBay / Hotmail accounts. Well, check this out:
Click to Enlarge

.....guess this confirms the intentions behind all these hijacks.

If you happened to login to Hotmail recently, found yourself locked out and presented with this at the Password Reset screen:
Click to Enlarge

...yes, your secret question is now in Chinese...then don't panic, because you're not alone. There seems to be a little outbreak of Hotmail accounts being compromised (likely via Phishing, though we have no evidence of the method used yet), and then from there, EBay accounts are hijacked. Most likely, this is to use those EBay accounts to sell dubious merchandise (or, more likely, pretend to sell merchandise then run away with the profit, leaving you with bad feedback galore).

Here's someone back in October complaining about it, and you'll see a few others at the end of the comments section here with the same problem. In all cases, you should go here to get help reclaiming your Hotmail account and go here to chat with EBay Live Support.

There's been quite a bit in the news recently about Habbo Hotel, and while there are some interesting tools out there designed to swipe login details, I find....


....that, despite all the warnings....


.....quite often, the easiest way to cheat people out of their login details....

habbostoled2.jpg to ask for them.

I'd like to tell you the rest of that page didn't consist of people hurling their login details at the original poster.

Sadly, I'd be lying.

You probably saw some of the coverage of the recent hijacking of musician pages on Myspace. What you probably didn't see, was evidence of the end-users who were unfortunate enough to have their systems taken over as a result of the hacked band pages. Certainly, a few reports claimed that something like "40,000" people were infected as a result of viewing the Alicia Keys Myspace page at the time that it was hacked. The only problem is, nobody seemed to be able to produce one of these individuals. While I don't believe that many users became infected purely from the Alicia Keys page, it's obvious that there would be people out there with a story to tell.

Well a few days ago, one of the end-users who clicked the overlay on a hijacked page (which would redirect you to malware and fake codecs) got in touch, and agreed to let me use the following extract to serve as a warning to anyone clicking on a Myspace page. Obviously, names / personally identifiable information has been removed.....

"To Chris Boyd:

I believe I was a victim of the recent software attacks on MySpace. I have read that you first blogged about it, but haven't heard of any solutions as to what can be done to online visitors who have visited the site, and whose computers have been compromised. I had ********** Cable install high-speed internet, and got online the same day. I did get on the Alicia Keys website, along other websites, and the following day, my computer is showing me a red screen telling me that my "privacy is in danger." A pop-window appears from time to time. It says...WINDOWS SECURITY ALERT...Someone is trying to hack into your such and such now, etc. Downloading more stuff is actually something that I don't want to do.

I have contacted the company, and all they told me was to go to a computer technician and clean my software. I should mention that I had McAfee and Norton Antivirus, but both expired in May 2007. I had dial-up before and never had this problem, even with the virus protection programs expired. I guess the only solution now is to get my computer cleaned up, and buy a software that will protect me from future problems. Hope Best Buy has the right stuff! Since it's high-speed, does that mean we're open to hackers? Do you know how online visitors can be compensated for the recent attacks on the website?"

Well, for what it's worth, you'd have had the same problem if you'd visited the page and been hijacked regardless of whether or not you were on Dial Up or high speed broadband. As to whether or not you're "open to hackers", it depends what was installed during the hijack. Though there were some reports of Rootkits flying around the press when this story was in the news, all we saw installed was the fake Codec (which is usually responsible for downloading and installing the rogue antispyware cleaner currently giving you all those "alerts"). However, the payload was known to change from time to time so without seeing the individual PC, it's hard to say. The good news is, most reputable security cleaning tools remove many, many variants of these fake Codecs, and also the rogue antispyware tools they push onto hijacked PCs. The method used to hijack the computers in this attack was much more interesting and up to date, than the actual malware being foisted onto the target PC which (when compared to some of the hijacks out there) were fairly middle-of-the-road and not a huge threat.

As for being "compensated", sadly I don't think you'll get very far. Your best bet is to keep your security tools updated, try running in Limited User Mode if you're just doing general web browsing and keep Windows patched as much as possible.

Meanwhile, hacked pages are still out there and still redirect to the hijack sites at the heart of this attack, so anybody visiting a music page on Myspace needs to ensure everything they click on is legitimate. On a related note, I'd love to hear from anyone else out there that's been hijacked by the above scam...

Bandjammer Trojan installs Multiple Rogue Applications

| | Comments (0)

...and thats probably an understatement. Many of you are familiar with the BandJammer Trojan that has been making its way around the media. For those who have not been following the story: here you go.

If you are one of the unlucky fans of Jetking who accidentally clicked the hijacked link to the Trojan, then you are probably having one heck of a time trying to get your PC back to normal. The BandJammer Trojan originally links to a couple of Chinese sites in order to download a file called install_cn.exe. It then installs an older version of Smitfraud through command line.
The 1 file runs another file that installs a dated version of Smitfraud.

Users can easily note this version of Smitfraud from the following entires:

MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll
The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - C:\WINDOWS\sdrmod.dll

The files below are also added as ShellServiceObjectDelayLoad (these files automatically start with other services):
hupsrv - {33AEF198-6E36-4C80-9DB2-7EE99DB25122} - C:\WINDOWS\hupsrv.dll
bindmod - {3C82EBC1-C4BA-44EE-B21E-ACC91F46D2E8} - C:\WINDOWS\bindmod.dll

What is the purpose of this? Well why type when I can just show a screenshot.
This confused looking website shows us all the fabulous new Rogue Antispyware applications we are about to be bombarded with.

Here are just a few of the fake alerts users will see:

Do not bother trying to close any of these. Blatant fake alerts take you to their site tor you to install/buy the application in most cases, or they will just create non-closeable ads and force you to install them.

These kinds of attacks are becoming more and more frequent. Take the article that Paperghost wrote involving Skype worm spammers for example. Rogue antispyware applications are everywhere now and they show no sign of trending down. Your best defense against these attacks is to simply mind your clicks.

Microsoft Roundup

| | Comments (0)

Some interesting bits of news just appeared on the radar. Apparently they aren't too happy with their virus detection, and a Microsoft Exec seems somewhat surprised that an XP machine could be hacked with ease when not running AV / Antispyware software or a Firewall.

Who knew?

About this Archive

This page is an archive of entries from November 2007 listed from newest to oldest.

October 2007 is the previous archive.

December 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.