Automated Spim on Microblogging Site Via MSN Messenger

| | Comments (0)
There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

fanf1.jpg

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

fanf3.jpg

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

fanf4.jpg

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

fanf5.jpg

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

fanf6.jpg

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

fanf8.jpg

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 7, 2008 10:12 PM.

Strange Russian Spam was the previous entry in this blog.

CNN Custom Alerts Spam is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.