Fake MSN Live Program Steals Login Details

| | Comments (0)

This application is made by the same individual who created the Win32.Spin "application". However, this is quite a bit more malicious than opening up a bunch of browser windows. The hacker chooses a PC that they know will be used by lots of different people - web cafe, library, school, wherever. They install their fake application (designed to look like MSN Messenger Live), let the victims run it, then steal their login details.

How do they do it? Well, let's take a look. First of all, the icon for the executable doesn't look too convincing, does it:

fmsn0.gif

If you check out the properties for the application, you'll see something strange:

fmsn1.gif

"Project1-Logs to Text Doc"? That doesn't sound like something a Microsoft application says when you right click it. The plot thickens! Finally, when you run the application, you can't move it around your desktop (it stays stuck to the middle of your screen), or click on anything bar the checkboxes and the "login" button (although obviously, it allows you to type in your username and password).

http://blog.spywareguide.com/upload/2008/03/fmsn2-thumb.gif
Click to Enlarge

After you hit the sign in button, you'll see this error message:

http://blog.spywareguide.com/upload/2008/03/fmsn3-thumb.gif
Click to Enlarge

"Windows Live Messenger can not sign you in right now, please try again later". All lies, of course. What happens now? Well, let's take a look at the code:

fmsn4.gif

Sitting either side of the fake error message, we can see two things. One, the creator is called "David" - always useful to know. Two - the login details should be deposited into a .txt file in the C Directory.

fmsn25.gif

....and there it is! Shall we open it up and take a look?

fmsn45.gif

Success! The password has been dumped into a location where the hacker can easily retrieve it at their leisure. Ah, I hear some of you cry - where can I download this evil program?

Well, you can't. I'm sure it'll be back before long, though...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on March 4, 2008 12:00 PM.

Look Out, It's The Security Twits was the previous entry in this blog.

Myspace Spam Profiles With Multiple Identities is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.