Chris Mannon: November 2007 Archives

NextDoor Worm Spreads across MSN

| | Comments (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment.

http://blog.spywareguide.com/upload/2007/11/chat-thumb.PNG
Party_jpg.zip contains www.Party_jpg_Msn.com.

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.

http://blog.spywareguide.com/upload/2007/11/IRC-thumb.PNG
NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.

http://blog.spywareguide.com/upload/2007/11/cdrive-thumb.PNG
The file with the ominous looking icon is the dialer that is installed by this worm.

http://blog.spywareguide.com/upload/2007/11/windows-thumb.PNG
The actual MSN worm is stored in the Windows Directory.

http://blog.spywareguide.com/upload/2007/11/sys32-thumb.PNG
These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.

http://blog.spywareguide.com/upload/2007/11/call-thumb.PNG
It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

http://blog.spywareguide.com/upload/2007/11/dialer-thumb.PNG

To get an idea of how recently this worm was updated...

http://blog.spywareguide.com/upload/2007/11/end-thumb.PNG
The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.
http://blog.spywareguide.com/upload/2007/11/picture-thumb.PNG
Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Bandjammer Trojan installs Multiple Rogue Applications

| | Comments (0)

...and thats probably an understatement. Many of you are familiar with the BandJammer Trojan that has been making its way around the media. For those who have not been following the story: here you go.

If you are one of the unlucky fans of Jetking who accidentally clicked the hijacked link to the Trojan, then you are probably having one heck of a time trying to get your PC back to normal. The BandJammer Trojan originally links to a couple of Chinese sites in order to download a file called install_cn.exe. It then installs an older version of Smitfraud through command line.

http://blog.spywareguide.com/upload/2007/11/cmd-thumb.PNG
The 1 file runs another file that installs a dated version of Smitfraud.

Users can easily note this version of Smitfraud from the following entires:

MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll
The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - C:\WINDOWS\sdrmod.dll

The files below are also added as ShellServiceObjectDelayLoad (these files automatically start with other services):
hupsrv - {33AEF198-6E36-4C80-9DB2-7EE99DB25122} - C:\WINDOWS\hupsrv.dll
bindmod - {3C82EBC1-C4BA-44EE-B21E-ACC91F46D2E8} - C:\WINDOWS\bindmod.dll

What is the purpose of this? Well why type when I can just show a screenshot.

http://blog.spywareguide.com/upload/2007/11/lol-thumb.PNG
This confused looking website shows us all the fabulous new Rogue Antispyware applications we are about to be bombarded with.

Here are just a few of the fake alerts users will see:

http://blog.spywareguide.com/upload/2007/11/contentsurf-thumb.PNG
ConfidentSurf!

http://blog.spywareguide.com/upload/2007/11/alert-thumb.PNG
http://blog.spywareguide.com/upload/2007/11/adwareremover-thumb.PNG
http://blog.spywareguide.com/upload/2007/11/REBOOT%20now-thumb.PNG
AdwareRemover2007!

http://blog.spywareguide.com/upload/2007/11/advancedcleaner-thumb.PNG
Advancedcleaner!

Do not bother trying to close any of these. Blatant fake alerts take you to their site tor you to install/buy the application in most cases, or they will just create non-closeable ads and force you to install them.

These kinds of attacks are becoming more and more frequent. Take the article that Paperghost wrote involving Skype worm spammers for example. Rogue antispyware applications are everywhere now and they show no sign of trending down. Your best defense against these attacks is to simply mind your clicks.

About this Archive

This page is a archive of recent entries written by Chris Mannon in November 2007.

Chris Mannon: October 2007 is the previous archive.

Chris Mannon: March 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.