Christopher Boyd: June 2007 Archives

Over the weekend there was apparently an issue with the registration of Live ID accounts, which could allow nefarious characters to indulge in a spot of phishing. More here at CIO.com.

I'll be speaking on "The Internationalization of Spyware" at the upcoming ASC Conference in June. Agenda and speakers can be found here.

If you happened to open up certain profiles on Myspace these past few days, you'd have the misfortune of seeing the following appear in the middle of your screen:

http://blog.spywareguide.com/upload/2007/06/myspaceremove1-thumb.jpg
Click to Enlarge

That's a vaguely scary thing to have appear on a Myspace profile, because you just know it's going to be pressed a ridiculous amount of times. Upon downloading the file, if the user runs it, when using Internet Explorer they'll see some of the below sights:

http://blog.spywareguide.com/upload/2007/06/myspaceremove2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/06/myspaceremove3-thumb.jpg
Click to Enlarge

Of course, no hijack like this would be complete without some fake Taskbar warnings, right?

myspaceremove4.jpg


myspaceremove5.jpg

If you click on either the popups or the hijacked IE banner you're taken to a site called Antispysolutions.com:

http://blog.spywareguide.com/upload/2007/06/myspaceremove6-thumb.jpg
Click to Enlarge

Time for a quick detour. Here's some coverage of one of the programs, Spy Away, from March of this year. Have a look at the fake "detection" in the detections box - note that it simply says "Sistray.exe". Apparently the application and / or site vanished for a while. Well, fast forward to the present day and if you download and run the executable, you'll see a very interesting difference:

http://blog.spywareguide.com/upload/2007/06/myspaceremove7-thumb.jpg
Click to Enlarge

...the application claims to "detect" 180 Solutions (Zango), along with a few other items. This is done by downloading some "dummy" files that the scanner then magically finds. The files themselves don't do anything as far as we can tell apart from sit there and feed the results of the scanner - of course, they aren't legitimate Zango executables. Here's a screenshot of some of the files deposited onto the PC:

http://blog.spywareguide.com/upload/2007/06/myspaceremove8-thumb.jpg
Click to Enlarge

Myspace users would do well to give these so-called security applications a miss. This particular install works best on Windows 2000 - if the user is on XP, there's a good chance nothing will happen. Thanks to LoLo for the tipoff.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

About this Archive

This page is a archive of recent entries written by Christopher Boyd in June 2007.

Christopher Boyd: May 2007 is the previous archive.

Christopher Boyd: July 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.