Recently in Adware / Spyware Issues Category

You may have heard about a recent hack where a user of Flickr found all his photographs had been removed when a (probable) old flame broke into his account and deleted the whole thing. This started a discussion in regards to safe backups, and whether or not the user was playing with fire for expecting a third party image hosting service to keep backups of his images or not.

Many people upload images to sites such as Flickr, but think their data is "safe" purely because they also keep copies of their images on their PC. Well, as you're about to see, unless you have some form of dedicated backup system in place or an external hard drive, it can go horribly wrong very quickly. Take my advice, and DON'T wait for something to happen to your computer then facepalm and cry into a bucket for six hours. Go buy some storage, or at least use one of the many free online storage services and have some kind of contingency plan for your photographs. Now that we've got that out of the way...


imgwrm1.jpg

Above is a program that claims to crank out "Image Worms". I don't recall worms looking quite so vicious as the one in the picture, but nevermind. You hit "Select file to worm", pick an image file on your computer to plaster all over the victims PC and click the "Build worm" button.

At this point, a file appears in the program directory:


imgwmz3.jpg

At this point, it's merely a case of renaming the "Image worm server" file, making it look like an image file then sending it to a victim.

You might be wondering where the "worm" part comes into play, given the overall wormy theme going on here. The truth is, in testing we simply could not get the file to do any spreading of its own accord. If there is supposed to be a worm element to this, something has gone horribly wrong with the coding. It *might* still kick into life, perhaps, when the planets align and mystical portents of doom signify the end of the World. Until then, "Look at my awesome picture lol" is how this thing is rolling.

However, that doesn't mean horrible things aren't about to happen to your computer. Let's take a look, and imagine someone sends you a "picture". Open that file (which of course is actually an executable) and every jpeg on your computer will switch from this...

imgwrm3.jpg
Click to Enlarge

to this:

imgzwrmz666.png
Click to Enlarge

As you may have noticed, all of your treasured memories now say "Hacked" in the middle of a black background.

This is not a good thing. You did back these images up somewhere other than your PC, didn't you?

You didn't? Oh.

We detect this as PicSwitch.
There seem to be quite a few of these in circulation over the past day or so:

Download the latest version! <URL Removed>

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe <http://www.msn.com>  |
More Newsletters <http://www.msn.com>  |
Privacy <http://www.msn.com>

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052


As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

ie71.jpg

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

top106.jpg

Click to Enlarge

By the time you see this, its probably too late.  This threat also i known to send the user fake infected alerts to provoke the victim into buying the product.  It also utilizes the Sysinterals fake Blue Screen of Death Screen Saver to scare the victim.  As you can see below, there have been several options taken out of the desktop properties window to hinder users from restoring the default settings.

background.png

This particular product is detected by us as Fake.AV, and is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Additional Research: Chris Mannon, Senior Threat Researcher

Sysda Act

| | Comments (0)
Oh hi there.  Apologies for the Whoopee movie reference, but its hard to come up with something catchy.  This latest threat coming through the Facetime Security Labs steals passwords related to chinese sites.  This is not really a threat to most businesses in the US, but judging from the malware trend coming from China and spreading to the rest of the world I'd say its only a matter of time before we start seeing the same method of theft.  The name of this new threat has been named SysdaSysda lies dormant until a certain site is navigated to.  This site is generally related to when a user attempts to change their password for the site.  After that it simply posts the information back to the attacker.  Users should be on the look out for a file called "sysdajchv.dll".  All it really needs is to hook into iexplore.exe to steal your user credentials. 

crack.PNG
The above illustrates that Sysda is attempting to steal login credentials to Sohu.com.  Whether this is simply a new way to phish for information, or something more sinister along the lines of fraud are still unclear at this point.  I'll let you know what I found out.

Do you think the following website is all sweetness and light?

http://blog.spywareguide.com/upload/2007/10/yhgames0-thumb.jpg
Click to Enlarge

.....well, now that you mention it....

http://blog.spywareguide.com/upload/2007/10/yhgames00-thumb.jpg
Click to Enlarge

....whoops. Still, it's worth noting that, as with so many of these infection files, you DO sometimes get a few chances to redeem yourself before everything goes pear shaped:

http://blog.spywareguide.com/upload/2007/10/yhgames000-thumb.jpg
Click to Enlarge

Mind you, this would be a pretty boring blog entry if we did the sensible thing and failed to run the executable, right? Run it, run it, I hear you cry.

Well, okay then, just for you I'll run it...this is what ends up in your System32 Folder:

yhgames0000.jpg

One of the files made reference to IFRAMES inside the code - never a good sign:

yhgames00000.jpg

The page mentioned wasn't available during testing, so it could have been trying to load pretty much anything at all, from dubious advert to rogue executable. Who knows. What we do know, is that when everything is done and dusted, you're left with references to Browser Helper Objects:

yhgames0000000.jpg

...Winsock Layer hijacks...

yhgames00000000.jpg

...and a rogue service:

yhgames000000000.jpg

....that's a lot of hoop jumping to monitor what websites you're visiting, but oh well.

YHGames - no fun, no games.

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:

ikatzu6.jpg

The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called Artella.biz. However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "Upads.biz", so off we go to have a look:

http://blog.spywareguide.com/upload/2007/10/ikatzu1-thumb.jpg
Click to Enlarge

...is it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:

http://blog.spywareguide.com/upload/2007/10/ikatzu2-thumb.jpg
Click to Enlarge

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:

http://blog.spywareguide.com/upload/2007/10/ikatzu3-thumb.jpg
Click to Enlarge

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:

http://blog.spywareguide.com/upload/2007/10/ikatzu4-thumb.jpg
Click to Enlarge

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:

ikatzu88.jpg

Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....

ikatzu9.jpg

...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:

ikatzu200.jpg

...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panam?, Rep. De Panam?."

....is it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....

http://blog.spywareguide.com/upload/2007/10/ikatzu500-thumb.jpg
Click to Enlarge

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application.

......be honest, did you think I was going to say anything else?

Q Nyx - Popup Heaven

| | Comments (0)

Here's an interesting one from China.."Q Nyx". No idea what that means, but it isn't good if you get it on your PC. Your computer won't go into meltdown or anything, but you will see a lot of popups. It's a fairly standard hijack, with a whole bunch of files dumped into your System32 Folder:

http://blog.spywareguide.com/upload/2007/10/qnyx3-thumb.jpg
Click to Enlarge

From there, generic popups windows and slightly porntacular images are the order of the day:

http://blog.spywareguide.com/upload/2007/10/qnyx4-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/10/qnyx5-thumb.jpg
Click to Enlarge

A number of security programs are mentioned in the code of one of the executables, which would seem to indicate it's going to try and tamper with them:

qnyx1.jpg

....never a good thing, really, is it?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

My colleague Chris Mannon recently came across a file that contains all sorts of Botnet fun and games, along with a fair amount of spam related action into the bargain....and final tie-in to a familiar face. Shall we take a look?

Of course.

I always like to get a look at the file sitting all harmless and stuff on the desktop - don't you? I hope so, because here it is:

dsdata1.jpg

It should come as no surprise that both files are "in use" by another application and you can't delete them via normal methods.

...yeah, it's not doing much yet but it does get more interesting. If the end user is duped into running the executable, it vanishes and deposits two files into the System32 Directory:

dsdata2.jpg

That's not all - I mentioned Spam, right? Well, while running, it has the ability to manipulate mail in Outlook (spam, spam, spam, spam) and specifically looks for Opera Mail usernames and passwords.

Can you guess what kind of Spam it sends?

dsdata4.jpg

....yep, it's related to our "good friend" The Storm Worm, because "Get Krackin" is the latest scam to come out of the Storm Stable.

We detect this bundle of joy as DSData.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

Skype were good enough to notify us about something they recently came across, and the results are pretty interesting. To kick things off, here's a victim complaining about the infection on the Skype forum.

....read that? Okay, cool. Then let's begin:

skypedef1.jpg

As you might have guessed, that's the executable sitting on your desktop. Run it, and you'll see the following:

skypedef3.jpg

...oooh, the promise of plug-in excitement! However, what you see next should give the game away. Note the amazingly out of place login button on the fake Skype application:

http://blog.spywareguide.com/upload/2007/10/skyepdef4-thumb.jpg
Click to Enlarge

If you enter your login details, you'll be handed a "Your details aren't valid" message:

http://blog.spywareguide.com/upload/2007/10/skypedef2-thumb.jpg
Click to Enlarge

....at which point, your login credentials have been sent back to base. We detect this as Skype Defender - do yourself a favour, and ONLY download applications related to Skype from the official Skype website.

http://blog.spywareguide.com/upload/2007/09/skinner1-thumb.jpg
Click to Enlarge

Upon hearing bad reports about a product called "Messenger Skinner", we decided to investigate. The program (whose target audience must strongly favour kids by virtue of the fact that the most entertaining thing it gives you is dancing bananas) has a number of issues that make it something I'd rather not recommend. Note:

"Messenger Skinner is free of any kind of spyware or trojan".

Interesting statement. Let's continue.

skinner3.jpg

...looks innocent enough so far, but things are about to get messy.

http://blog.spywareguide.com/upload/2007/09/skinner5-thumb.jpg
Click to Enlarge

Presented with a "real" installer. That's good.

The text box is stupidly small. That's bad.

The "no" button is pre-checked and you have to physically select yes. That's good.

I don't like the colour scheme. That's bad.

The EULA is certainly comprehensive. That's good.

But that's only because there's apparently two of them.

That's bad.

See, during install, the EULA you see is NOT the EULA you see by clicking "Terms and Conditions" from the program entry on your Start list. Indeed, once installed, all you really get is a very general ramble about liability, licensing and intellectual property. Right at the end, under "Uninstall", you get the briefest of mentions for this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component."

....ooh. In fact, we need to hope that anyone installing the program not only took great note of the EULA during install, but copied and pasted it onto their system to get a better idea of what's likely to be going on in their system.

Namely:

1. USE OF THE SOFTWARE

1.1.MessengerSkinner, a Freeware application, offers a button which allow you to add funny emoticons and other things to MSN Messenger (R) 7.0, 7.5 and Windows Live Messenger (R).

1.2. The Software includes a component which will remain active at all times with the objective of verifying and ensuring the correct functioning of the Software, and offering other advantages (?Component?). When the User is connected to the Internet the Component will make periodic connections to the Provider?s servers in order to check that there are no problems in the access network or the User?s Computer. If any error which prevents the normal use of the Software is detected in the User?s Computer, the Component will seek to identify and solve it. Any changes that the Component makes to the User?s Computer will be to clearly non-essential parts thereof and for the purposes referred to in these Conditions. THE USER REQUESTS AND AUTHORIZES THE INSTALLATION AND UPDATING OF THIS COMPONENT TOGETHER WITH THE SOFTWARE IN ACCORDANCE WITH THE TERMS SET OUT IN THESE CONDITIONS. The Component will carry out the tasks described in these Conditions only when the User is connected to the Internet, whether using the Software or the User?s regular Internet connection. In any case, the User can easily uninstall the Software or the Component by selecting ?Access Connection? and ?Component Add-On? respectively in the appropriate section of the operating system control panel. Users should be aware that upon such uninstallation, the advertising messages might be sent during a period of three months after said uninstallation, the benefits provided by the Component will not be available and in certain cases the Software (if retained) or the Provider?s services may not function correctly.

Adverts for three months after uninstalling? Nice! As you'll see later, the hoops you need to jump through to uninstall hark back to the "good old days" of Direct Revenue making you download additional software to uninstall the first unwanted program. Tonight we're gonna' party like it's 2004! Yay!

1.4. In order to carry out the operations referred to in the paragraphs above, the Component will send certain data from the User?s Computer to, and will receive information and requests for these purposes from, the Provider?s servers. The data sent to the Provider?s servers by the Component will be limited to technical and connection information such as: operating system user name, name of the computer in the operating system, IP address of the LAN of the computer, country of connection, browser default country, operating system version, operating system or browser service packs installed, ID of the most recent browser update, vertical and horizontal resolution of the monitor screen, IP address of the most recent internet connection, maximum and average response times, percentage losses, name of the last RAS connection and others relevant for the purposes indicated. The User authorizes such exchanges of information with the Provider?s servers in accordance with these Conditions. At no time will any information regarding Internet sites visited or other activities of the User be sent to the Provider?s servers; this information will be processed within the User?s Computer in order to anonymously select advertising or other messages to be shown to the User. In no case will the Provider be able to identify the User nor will any profile of the User be created.

...."limited to"? What else is there left to grab, shoe size?

For the sake of this:

http://blog.spywareguide.com/upload/2007/09/skinner12-thumb.jpg
Click to Enlarge

....I'm starting to feel pretty uncomfortable about installing this program. Oh, note that I had to blank a few smileys out because they were, er, sort of rude. Enjoy, kids!

Anyway, now we come to the meaty part. If you installed this program and happened to run, oh, I don't know....a bunch of Rootkit Scanners...you'd probably see something a little like this:

http://blog.spywareguide.com/upload/2007/09/skinnerend-thumb.jpg
Click to Enlarge

.....and, from another testbox, something like this:

skinner14.jpg


skinner15.jpg

....hidden, randomly named executables? Oh, awesome. That's just what the world needs more of. I guess that's why Symantec say the following on this writeup, then:

"# Hides the following files by using rootkit technology:

* %System%\[RANDOM].exe
* %System%\[RANDOM].dat"

......to coin a phrase, whoops.

At this point, I bet you're dying to see the program in action, right? Exactly how does Messenger Skinner operate in the context of the MSN Chat system? Well, the answer is faintly interesting:

http://blog.spywareguide.com/upload/2007/09/skinner11-thumb.jpg
Click to Enlarge

.....check it out, it almost totally hides the adverts served up by MSN! I wonder if they'd be happy knowing this product did that? I guess we'd better move onto the uninstaller that time forgot. In the rather general "terms and conditions" available from accessing the program via the Start menu, right at the bottom, is this:

"UNINSTALL
This software is completely free as it is subsidized by the Favorit contextual advertising component.

The end user can uninstall our component by filling the following form:
http://www.pc-on-internet.com/uninstall
"

.....oh dear. I'm sort of surprised anyone still releases applications like this - especially as it all smacks of hoop jumping and a faint impression that they don't actually want you to uninstall any of these things. For a perfect example of what I mean, check out this writeup from 2005 where I battled with the Uninstaller for Direct Revenues Aurora.

Let's all pause while you read that and say a few brief words for Aurora.

What's that? Nobody got anything good to say about it? Nah, didn't think so. Anyway....let's go over how I think uninstalling a program should go.

1) Decide to uninstall.
2) Run uninstaller.
3) The end.

Now let's see how it goes down in Messenger Skinner Land, or as I like to call it, "Hoop Jump City Central" (like Nutbush City Limits, but with a better beat).

The Main Uninstall Page:

http://blog.spywareguide.com/upload/2007/09/skinner7-thumb.jpg
Click to Enlarge

The Terms and Conditions Page:

http://blog.spywareguide.com/upload/2007/09/skinner8-thumb.jpg
Click to Enlarge

The Privacy Policy Page:

http://blog.spywareguide.com/upload/2007/09/skinner9-thumb.jpg
Click to Enlarge

....WHAAAAAAAAAAAAAAA?

That's right, to uninstall the program, they insist that you open up THREE DIFFERENT PAGES and read through endless reams of text - just to uninstall something!

Not only that, but then you have to hand over your Email address to contact them, tell them why you don't want it on your system anymore and (finally) "wait for someone to look into it" and then, finally, presumably, hopefully, send you the link to the uninstaller.

http://blog.spywareguide.com/upload/2007/09/skinner17-thumb.jpg
Click to Enlarge

But wait, it gets BETTER. Can you believe it? Look what awaits you in the mailbox:

skinner18.jpg

Absolutely incredible. You're stuck with a 24 hour limit to obtain the uninstall program. If your Internet connection breaks, or you weren't planning on sitting on front of your PC all day waiting for their all important Email - too bad! Furthermore, they have such iron clad faith in their uninstaller program that if you run it more than three times, you see this:

http://blog.spywareguide.com/upload/2007/09/promo_expired-thumb.JPG
Click to Enlarge

Even better, both Panda and Prevx flag the uninstaller as suspicious:

skinner19.jpg

And even better than that, there are some people out there complaining that the uninstaller doesn't actually seem to be very good at, er, uninstalling things.

Ladies and Gentlemen, I give you the epitome of "complete disaster". Without a doubt, this is one of the worst uninstall routines I've seen in years, and you can put that on a wall and frame it.

Finally, there are a bunch of domains on the server hosting Messenger Skinner that are related to the parent company. Of particular interest is one called crazygirls-world.com (registered to the same guy as Messenger Skinner), which leads you to....

http://blog.spywareguide.com/upload/2007/09/skinner20-thumb.jpg
Click to Enlarge

.....Dialer related porn on a site called "gad-network.com". Of course, it's no surprise that we see Gad-Network leads us back to the Favorit Network site.

.....wait, didn't I get a really amazing uninstaller from there once?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Sometimes, it's impossible to know where an investigation will take you. And though your initial focus might change somewhat, every now and again the focus will change so dramatically that what you end up with is nothing like what you were expecting.

This is one of those occasions.

A few days back, someone posted a link on the Spywarewarrior.com forum, asking if it was a "list of hijacked Emails". It definitely looked suspicious, so with that, off I went to have a look around.

http://blog.spywareguide.com/upload/2007/09/spbl6-thumb.jpg
Click to Enlarge

....okay, hundreds of Email addresses with names and no other information provided. Not a lot to go on. However, a quick Directory jump back and....

http://blog.spywareguide.com/upload/2007/09/spbl1-thumb.jpg
Click to Enlarge

Eight sets of files containing thousands upon thousands of Email Addresses.

Not just Email addresses, either. Depending on the document opened, you might find yourself looking at a collection of EMail addresses, full name, postal address, IP address and time / date they submitted their form / mail to whatever website they happened to be on at the time (yes, the websites were listed too). Though we've blanked a lot out, the following screenshot will still give you an idea of how much data is up for grabs (note the scrollbar at the side of the screen is only halfway through this particular page):

http://blog.spywareguide.com/upload/2007/09/spbl8-thumb.jpg
Click to Enlarge

...ouch?

The majority of the websites listed are down, but you can probably guess the content - possible prizes in exchange for your Mail Address (and possibly other information) being used in opt-in databases for "promotional purposes", anyone? Yeah, I'd think that was a good bet. There's nothing wrong with genuine opt-in....but something has gone seriously wrong here, and the potential for things to get out of hand very quickly will soon be seen.

Googling one of the domains flagged up an interesting thread on a popular Adult Webmaster forum, gfy.com:

http://blog.spywareguide.com/upload/2007/09/spbl115-thumb.jpg
Click to Enlarge

Quote time:

"What I am offering is 150-200k Daily Emails - 4-6 Mil Unique Monthly Emails
Full Data Included. name,email,address,ip,time,date,source etc

Price is 2.5k Monthly and we also accept Weekly payments as well"

Now, at this point, everything is likely to be legit; everyone has opted in; the data is only going to be sold to "a maximum of three people".

The problem is, once you submit your details to anything online, it doesn't take long for that information to wind up in all sorts of strange places you couldn't possibly have imagined (the seller probably didn't see this coming, either). Over the course of a year or two....wow. As proof of this "wow", check out the below shot taken from another directory of the website we were looking at earlier:

http://blog.spywareguide.com/upload/2007/09/spbl114-thumb.jpg
Click to Enlarge

....."hacked pages"? "IP Scan"? "IE Exploit"? I'd hate to be the Master of the Obvious and claim my Spidey Sense is tingling, but let's have a look at some of the items in the folders. Kicking things off with "Hacked pages", we immediately discover some cool and funky things about our targets:

http://blog.spywareguide.com/upload/2007/09/spbl4-thumb.jpg
Click to Enlarge

Ah! Viva la Group Louz O MNIN Ndouz Room Pal! (Or was it "Le"? I never was fantastic with French). I guess at this point you'll be wanting to see an example of their handywork, right? Oh, okay then. Here's a hacked page of theirs from sometime around July:

http://blog.spywareguide.com/upload/2007/09/spbl111-thumb.jpg
Click to Enlarge

....yeah, that's not the most dazzling hacked page ever, is it? Kids just don't put the effort in these days. However, things are about to get a little more interesting (because one solitary page hacked does not a leet hax0r make). Let's take a look at the "IE Exploiter", because this is the unexpected gold that sends this entire investigation somewhere else entirely:

spbl10.jpg


spbl11.jpg

Running the tool creates a page of HTML and deposits it on your desktop. That HTML mentions a file called "Bl4ck". Haven't I seen that somewhere before?

Yep, right here in August 2006.

http://blog.spywareguide.com/upload/2007/09/bl4ck2-thumb.jpg
Click to Enlarge

Put simply, you run the tool, generate your HTML and edit it (and your EXE as appropriate, or stick with the "Bl4ck" file (and keep the optional .WAV file too!) - the core of this attack appears to be this exploit. For those interested, the default hacked page will look like this:

http://blog.spywareguide.com/upload/2007/09/spbl24-thumb.jpg
Click to Enlarge

...plain, but it gets the job done I suppose. Because you can use whatever EXE you want with this thing, there's plenty of potential for Internet badness. Here's a forum post complaining of the same exploit in October 2006 - it seems the file in that instance tries to send Spam mail. Now we can see why the guy with the Email lists would want to keep hold of a tool like that. Here's another example of a banking trojan being dropped in the same way.

But wait, we're not done yet. I recognise some of those usernames listed on the IE Exploiter tool. A few of them tied in directly with the investigations into the Q8 Army hacks from 2005/06. IM Rootkits, fake BitTorrent clients and Mr Bean videos being pushed via the BitTorrent installs (no, we never found out what the deal was with Mr Bean).

Focus on Sniper_SA, mentioned in the "Greetz" section of the program. He's responsible for the hack above featuring The Terminator (in that case, pushing the default "Bl4ck" file) but a lot more website hacks besides. Check these out:

http://blog.spywareguide.com/upload/2007/09/sahax1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/09/sahax3-thumb.jpg
Click to Enlarge

A lot of digging around later, and I finally stumble across this website (note the fake MSN Chatbox window in the bottom left hand corner - top tip, never click these):

http://blog.spywareguide.com/upload/2007/09/sahax4-thumb.jpg
Click to Enlarge

From there, it's only a quick jump over to Snipers' forum:

http://blog.spywareguide.com/upload/2007/09/sahax5-thumb.jpg
Click to Enlarge

On the main page, there's a huge list of members - many of whom are either well known for their hacking exploits or (again) had their usernames come up repeatedly during the Q8 Army investigation. Here's a small selection:

http://blog.spywareguide.com/upload/2007/09/sahax9-thumb.jpg
Click to Enlarge

....that's a pretty big collection of leet hax0rs. After wading through those for a while, I eventually came across someone posting on a number of forums who would post up hacks, cracks, virus writing techniques and more besides....the majority of the posts always giving the Email address of the IE Exploiter tool creator in his examples. It's a fairly safe bet they're one and the same person, but what really broke my brain was his avatar:

http://blog.spywareguide.com/upload/2007/09/sahax10-thumb.jpg
Click to Enlarge

....Please, tell me you see it too.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Threat Researcher

Pages

About this Archive

This page is a archive of recent entries in the Adware / Spyware Issues category.

419 is the previous category.

Adware Research is the next category.

Find recent content on the main index or look in the archives to find all content.