- Fake MSN Live Program Steals Login Details
This application is made by the same individual who created the Win32.Spin "application". However, this is quite a bit more malicious than opening up a bunch of browser windows. The hacker chooses a PC that they know will be used by lots of different people - web cafe, library, school, wherever. They install their fake application (designed to look like MSN Messenger Live), let the victims run it, then steal their login details.
How do they do it? Well, let's take a look. First of all, the icon for the executable doesn't look too convincing, does it:
If you check out the properties for the application, you'll see something strange:
"Project1-Logs to Text Doc"? That doesn't sound like something a Microsoft application says when you right click it. The plot thickens! Finally, when you run the application, you can't move it around your desktop (it stays stuck to the middle of your screen), or click on anything bar the checkboxes and the "login" button (although obviously, it allows you to type in your username and password).
After you hit the sign in button, you'll see this error message:
"Windows Live Messenger can not sign you in right now, please try again later". All lies, of course. What happens now? Well, let's take a look at the code:
Sitting either side of the fake error message, we can see two things. One, the creator is called "David" - always useful to know. Two - the login details should be deposited into a .txt file in the C Directory.
....and there it is! Shall we open it up and take a look?
Success! The password has been dumped into a location where the hacker can easily retrieve it at their leisure. Ah, I hear some of you cry - where can I download this evil program?
Well, you can't. I'm sure it'll be back before long, though...
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher