Botnets: July 2008 Archives

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?


Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that was Homers Email address. Of course, Simpsons fans galore with net access immediately added "Chunkylover53" to their AIM contact list. As this article points out....

Homer's e-mail address, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

What's interesting here is that as far as I'm aware (and please, correct me if I'm wrong), the AIM screen-name"Chunkylover53" is not necessarily connected to the "official" email address - anyone could have set up that AIM screen-name, using whatever EMail address they feel like. However, people will naturally add "Chunkylover53" to their AIM accounts thinking it will be the "real" Homer. This is where the problems set in

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....


...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file called "Kimya.exe", about 150kb in size, and it looks like this:


Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:


....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:



Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):


Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:


....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:


...and it currently advertises a link for a dating website:


We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control, or indeed, related to what you're looking for in the first place.

We detect this infection as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Fast Track to Botnet Central

| | Comments (0)
Its true, you too can finally get into the botnet you always wanted.  Finally the ability to be a zombie computer under some losers control is yours!

Seriously though, becoming a victim to a hacker's botnet is incredibly easy.  These attacks are not typical to other forms of destruction found on the internet.  There true intent is usually to remain hidden from view until called upon.  In the case of FastTrackBot however there is a new objective.  FastTrackBot downloads several executable files that keep your computer clicking on the attacker's affiliate links.  These executable files keep the webpages in hidden iexplore.exe windows in order to hide the application from suspicious eyes.  If you're using X-cleaner, I suggest you take a look at the Expert Tab.  The Show All Hidden Windows function is great for showing you exactly what is open at the time.

replace ad.pngFastTrackBot phones home to several of these sites in order to keep the user clicks through affiliate links.

Aside from creating invisible windows to hog your bandwidth up, it also attempts to install a rogue anti-spyware application.  This is a popular technique when attempting to fraud the victim into leaking credit card information when actually attempting to purchase the fake product.  FastTrackBot inserts a fake security center that appears identical to the one found in Windows XP.

securitycenter.pngAs you can see in the address bar, this is not the actual security center.  Clicking anywhere on this window means almost certain doom in the worst way possible...a never ending stream of fake "YOU ARE INFECTED!!!!" alerts.

In order to kill the actual application, you have to remove it from memory first, then remove its autostart which is found in 5 different locations - or simply remove with our free Microscanner.

About this Archive

This page is a archive of entries in the Botnets category from July 2008.

Botnets: February 2008 is the previous archive.

Botnets: March 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.