Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
 
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Hotmail / EBay Follow Up | Main | Stolen Card Details Posted To Internet Forums »

  • NextDoor Worm Spreads across MSN

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment.

http://blog.spywareguide.com/upload/2007/11/chat-thumb.PNG
Party_jpg.zip contains www.Party_jpg_Msn.com.

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.

http://blog.spywareguide.com/upload/2007/11/IRC-thumb.PNG
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.

http://blog.spywareguide.com/upload/2007/11/cdrive-thumb.PNG
The file with the ominous looking icon is the dialer that is installed by this worm.

http://blog.spywareguide.com/upload/2007/11/windows-thumb.PNG
The actual MSN worm is stored in the Windows Directory.

http://blog.spywareguide.com/upload/2007/11/sys32-thumb.PNG
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.

http://blog.spywareguide.com/upload/2007/11/call-thumb.PNG
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

http://blog.spywareguide.com/upload/2007/11/dialer-thumb.PNG

To get an idea of how recently this worm was updated...

http://blog.spywareguide.com/upload/2007/11/end-thumb.PNG
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
http://blog.spywareguide.com/upload/2007/11/picture-thumb.PNG
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Posted by Chris Mannon on November 29, 2007 08:05 AM |

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/237

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.