Adware / Spyware Issues: May 2007 Archives

Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...


...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:
Click to Enlarge

Allow the file to "access Skype", and your contacts will see the below:
Click to Enlarge

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:


...and here it is sending an infection message via MSN Messenger:


The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer

Two excellent articles you really should read:

"Scammers gaming YouTube ratings for profit"

You'll never look at a can of Iron-Bru in the same way again...

"Spyware hunter probes larger market flaws"

A nice insight into the world of Ben Edelman (check out the pictures to see his triple-monitor-of-doom!)

You might have seen a recent flurry of USB Worms in the news - well, one of our researchers found what appears to be a variant targeting (as you might have guessed from the title) Firefox, Orkut and YouTube.

How does this happen? For starters, if you have the infection file on your computer (before activation) it'll probably look something like this:


Not too bad yet, right? Well, if you're unfortunate to double click the thing and run it (of course, in a non-testing environment this would spread automatically via USB shares) your day will take a turn for the worse. Attempt to use Firefox, and you'll see this (along with an MP3 of someone laughing at you playing in the background):
Click to Enlarge

"Use Internet Explorer you dope - I don't hate Mozilla but use IE or else"

At this point, you can't use the browser and it closes automatically on you.

Jumping over to IE, if you attempt to get to the Orkut website....
Click to Enlarge


The "fun" doesn't end here, however - because whoever made this apparently isn't too keen on you visiting the YouTube website either:
Click to Enlarge

Of course, the people behind the infection files can deny an infected user access to whatever sites they feel like - in that sense, it's not that different from putting a website into your HOSTS file. For whatever reason, this individual felt the need to vent their spleen at YouTube and Orkut and blocked them via the infection file. Needless to say, this spreads the same way the first wave of USB infections did (an Autorun.inf file):
Click to Enlarge

Finally, it's worth noting that some of these files are designed so that the .EXE looks like a folder on your desktop:


You'd be surprised how many people fall for that. I've also written about this elsewhere, and if you'd like to see the hijack in action (and hear the wonderful laughter that plays when you try to use Firefox, Orkut or YouTube) then click here.

Write up: Christopher Boyd, Director of Malware Research
Research and Discovery: Manoj V, Malware Threat Researcher

We recently came across two Chinese hijacks (one weighing in at around 30MB, the other at 15MB) that can completely destroy your PC. The files that arrive seem to be a little bit random, but a good number of them have the potential to send your CPU usage through the roof and keep it there until your PC keels over. With a whole bunch of them installing at the same time, blue screens and repeated crashes are the order of the day. I briefly mentioned this thing here - well, consider this writeup a sample of the kind of things you can expect if unfortunate enough to be hit by this thing. It goes without saying that there's spyware, adware, malware, rootkits and pretty much everything else you can think of in this payload - in fact, feast your eyes on a sample of some of the files installed:
Click to Enlarge

I'm sure you'll agree, that's one seriously big pile of stuff.

Normally, I'd walk you through an install step-by-step, but in this case there's not much point. When the install starts, your desktop pretty much freezes and the only way to see what's on there is reboot, hope it doesn't crash and start digging (with the CPU at 100% all the way, of course). Doesn't sound pleasant, and it most certainly isn't. With that in mind, here's a more-random-than-usual selection of screenshots from both hijacks...
Click to Enlarge

This isn't going to be good, is it? Here's another random error from the pile:


There were quite a lot of errors generated, as it turned out. When I wasn't looking at error screens, I was beaten down with prompts to install all kinds of things. The below installer prompt wants to install a Toolbar onto the computer:
Click to Enlarge

...and for completeness, here's the inevitable shot of the Toolbar:


I'm guessing you want to see a shot of the Task Manager at this point, yes?
Click to Enlarge

You can see the PC is already at 100% CPU usage, and half the things on there are already "not responding".
Click to Enlarge

You can see a nice selection of browser windows open here, stuffed with rotating adverts (both Firefox and Internet Explorer).


Nope, I have absolutely no idea what I'm being asked either.

Most of the files don't produce any visuals - only a few pop adverts, the rest run silently and kill your machine. However, the other hijack installer (that eventually sucks down roughly 15MB or so of files) was calling a lot of the same stuff and popping the same adverts. For starters, that Toolbar appeared in both bundles. Well, we ran that one (thinking a game of compare and contrast would be fun) and sure enough....
Click to Enlarge

More popups! More silent files that flood your Task Manager and kill off your PC!
Click to Enlarge

The above is an installer prompt for a program we've covered before. Don't worry, you'll see what it is in the next screenshot...
Click to Enlarge

Here, you can see something called "Disk Free" - I'd like to tell you if it's any good or not, screens etc. Note the bottom right hand corner - that's our old pal Coopen, the desktop-picture changing marvel (come on, you don't think I selected that picture myself, do you?)

While we're on the subject of old friends, remember the CNNIC? Sure you do. I didn't know they had some kind of Messenger program, though:


I found that image along with a bunch of files, though the Messenger itself didn't appear to want to work. Shame.

As I've already mentioned, this second install is a little lighter on the CPU than the first, so it was possible to follow (most) of the install in one go. Imagine my surprise, then, when the following made itself known....
Click to Enlarge

Kubao is some sort of IM / P2P Messaging system, and (as far as I can tell) works a little like Skype...
Click to Enlarge
Click to Enlarge

Click to Enlarge

You wouldn't believe how long it took me to create an account and log into the thing, but there's a screenshot of it in action anyway.
Click to Enlarge

...oh, and here's some weirdo Anime RPG game apparently populated with volleyball players or something.

As you may have noticed, neither of these hijacks are things you'd probably want to have on your computer. There seems to be a vague hint of moneymaking involved, but whoever put these things together wasn't thinking straight when they decided how many individual files to install onto the PC. There's an art to concocting a hijack that doesn't kill the PC, and these guys were presumably absent from Hijacker School that day. In terms of bandwidth used to perform these installs, the particularly brutal way your PC is taken over and the complete disregard as to whether or not the thing actually functions properly afterwards, I'd have to rate these as two of the worst computer beatdowns I've yet encountered.

The "brave new world" of Chinese Malware hijacks is truly upon us. I'm just not quite sure we're ready for it...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV


About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from May 2007.

Adware / Spyware Issues: April 2007 is the previous archive.

Adware / Spyware Issues: June 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.