Christopher Boyd: August 2007 Archives

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:

http://blog.spywareguide.com/upload/2007/08/singworm4-thumb.jpg
Click to Enlarge

...and here's a screenshot from a Chinese forum:

http://blog.spywareguide.com/upload/2007/08/singworm5-thumb.jpg
Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -

singworm8.jpg

There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.

winsysexefile.GIF

Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":

http://blog.spywareguide.com/upload/2007/08/singworm1-thumb.jpg
Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:

http://blog.spywareguide.com/upload/2007/08/singworm2-thumb.jpg
Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":

http://blog.spywareguide.com/upload/2007/08/singworm6-thumb.jpg
Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....

http://blog.spywareguide.com/upload/2007/08/singworm7-thumb.jpg
Click to Enlarge

At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

Time to do some last minute checks with regards conference details and generally hang out at one of the many local stalls...

http://blog.spywareguide.com/upload/2007/08/singpre10-thumb.jpg
Click to Enlarge


http://blog.spywareguide.com/upload/2007/08/singpre11-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/08/singpre13-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/08/singpre14-thumb.jpg

Click to Enlarge

Behind The Scenes

| | Comments (0)

You know, a lot of work goes into pulling angry faces like this:

http://blog.spywareguide.com/upload/2007/08/sing6-thumb.jpg
Click to Enlarge

...yeah, I know it looks like I'm about to say something sweary, but honestly I'm not. I just rage and roll, apparently.

With that in mind, here's a couple of pics from a sort of "mini-event" that doubled as a prep session for the main talks...

http://blog.spywareguide.com/upload/2007/08/singsmall2-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/08/singsmall1-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/08/singsmall3-thumb.jpg
Click to Enlarge

Welcome to Singapore

| | Comments (0)
http://blog.spywareguide.com/upload/2007/08/singpre3-thumb.jpg
Click to Enlarge

A few weeks ago, I was honoured to be asked to go and speak at a number of events taking place in....well, you probably guessed from the title. For some reason, I was unable to post to Spywareguide from Singapore so you probably caught me rambling on about all sorts of random lunacy on Vitalsecurity.org instead.

Well, now I'm back and can finally post things and stuff about....things and stuff. If you see what I mean....

Yep, more fake profile Friend requests. These ones are a little more interesting than usual, though.

First of all, this thing popped into my Inbox:

camw1.jpg

It's pretty obvious that this profile screams out "fake", so off we go to take a look and....

http://blog.spywareguide.com/upload/2007/08/camw2-thumb.jpg
Click to Enlarge

....we see a big banner claiming "Need cash fast use easy Paypal system" with a blog entry proclaiming "$400 to Paypal". If you click the banner, you're taken to a site called "Vid-Share.com":

http://blog.spywareguide.com/upload/2007/08/camw3-thumb.jpg
Click to Enlarge

I'd love to be able to tell you what the software on this site does that will generate you so much money, but to find out you have to send ?19.99, apparently without any idea as to what you're going to purchase.

Interestingly, if you Google Vid-Share.com, the top result (sitting above a number of pages on Myspace that have had this banner posted to them) is rather strange:

http://blog.spywareguide.com/upload/2007/08/camw4-thumb.jpg
Click to Enlarge

"Myspace Hacking / Welcome Welcome to myspacehacking we are the leading email account & myspace password recovery websites on the internet today."

....guess we'll go pay it a visit then.

http://blog.spywareguide.com/upload/2007/08/camw5-thumb.jpg
Click to Enlarge

Apparently, you can pay between $60 to $75 dollars to recover a lost password for a variety of Email systems, and the site also offers a number of downloads of the Password crack / recovery variety. Some are free, but the one listed in orange needs to be paid for - no idea what it does though:

http://blog.spywareguide.com/upload/2007/08/camwadd-thumb.jpg
Click to Enlarge

If you click around on the front page for a while, you'll see this message appear at the top of the screen (viewable in the main shot of the site above):

"<%'YOUR NOT SUPPOSED TO BE LOOKING THROUGH THIS INFORMATION IT WILL GET YOU NOWHERE!!%>"

I'm guessing this was only supposed to be viewable if you were rummaging round their HTML source, but oh well. Some more exploring on Myspace follows, and it seems a wave of spam profiles have been set up with the express intention of pimping the Vid-share URL:

http://blog.spywareguide.com/upload/2007/08/camw6-thumb.jpg
Click to Enlarge

This one is extremely interesting, as (aside from the Vid-Share spam) it also has this in one of the blog entries:

http://blog.spywareguide.com/upload/2007/08/camw7-thumb.jpg
Click to Enlarge


Click to Enlarge

"Do you need a Myspace password

Get your passwords here Myspacerecovery.com"

Sadly, there doesn't seem to be any cached version of the (currently down) site, so there's no way to check it out and compare it against the sites already mentioned. However, we DO seem to have an overabundance of spam profiles:

http://blog.spywareguide.com/upload/2007/08/camw8-thumb.jpg
Click to Enlarge

....aren't we the lucky ones?

Bored Spammers

| | Comments (0)

You know, if you're a spammer then sure - you can be fancy and innovative and send your PDFs and your FDFs. But sometimes, it all gets too much. What do you do? Easy, take your foot off the gas and simply send me a URL which leads to....

http://blog.spywareguide.com/upload/2007/08/yfinance-thumb.jpg
Click to Enlarge

....a page on Yahoo Finance. Guys, please - you're just not trying hard enough this week...!

Is Purityscan D.O.A?

| | Comments (0)

Here's the Database entry for Purityscan.

Here's their website:

http://blog.spywareguide.com/upload/2007/08/purityscan-thumb.jpg

Click to Enlarge

.....things that make you go "Hmmm".

The other day, I was unceremoniously dumped from a website I'd chosen to visit, being told to clear off because I happened to be using FireFox. Some more information has come to light courtesy of a thread here, and I can't say I'm impressed. If you happen to visit any websites running a particular set of code while using FireFox, you'll see this instead of your chosen website:

http://blog.spywareguide.com/upload/2007/08/ff_blocked_expl-thumb.jpg
Click to Enlarge

The code used to do this is available in various cut and paste formats:

http://blog.spywareguide.com/upload/2007/08/ff_blocked-thumb.jpg
Click to Enlarge

The reason for this boils down to supposed revenue being lost because people use Ad Blocking tools in conjunction with FireFox. References are made to "demographics" stating that FireFox users only represent a "small percentage of online spending" (without citing the source of these demographics), hilariously OTT statements claim Mozilla are "empowering internet theft" and they effectively accuse FireFox users with adverts blocked of both infringing copyright ("to the letter of the law") and being common theives ("Accessing the content while blocking the ads, therefore would be no less than stealing").

That's a little strong, isn't it? The site I was booted from was running ads that needed to be clicked to generate revenue, simply viewing them wasn't enough to make money. That being the case, how am I "stealing" from a site when they're making the presumption I'm going to want to click their advert to make them their money in the first place? Sure, if there's no advert there at all due to a blocker then nothing is going to be clicked anyway. But the reasoning behind this is pushing a line of ADVERT ON SITE = INSTANT MONEY, which just isn't the case.

Yes, we have a right to say what we do and don't want on our PC. And yes, the guy behind this idea does have a right to block you from his website if you don't want to see his adverts.

But wow, it's still stupid and decreasing your web traffic for the sake of a few clicks on random adverts. This says to me that the only thing on the site the creator thinks is worthwhile are the adverts themselves. If they'd rather keep you away from their actual content to keep their precious adverts intact, what does that say about the worth of the material on their homepage in any case?

You're probably better off without them.

Mind you, this does have obvious bad-guy potential. How long will it be before we see someone create a bunch of exploit sites, slap their "no FireFox" code on it and instruct you to come back with a Browser they know they can hijack using x, y or z exploits?

....to "read the fine print". So it was sort of humorous to see this - nothing to do with Adware, but a good metaphor for all the double-talking, nonsensical EULAs I've had to endure over the years.

It's always good when someone gets busted for online stupidity. Click here and feel good about things for a random amount of time.

I just saw this in the Database and had an overwhelming urge to run it.

http://blog.spywareguide.com/upload/2007/08/crm2-thumb.jpg
Click to Enlarge


crm3.jpg


http://blog.spywareguide.com/upload/2007/08/crm4-thumb.jpg

Click to Enlarge


http://blog.spywareguide.com/upload/2007/08/crm5-thumb.jpg

Click to Enlarge


...the lesson to be learned here is that if I'm ever in need of a date, this thing will fix me up. I think.

I think this EMail has some identity issues it needs to resolve. The top of the mail is designed to look like it's from EBay:

http://blog.spywareguide.com/upload/2007/08/ebaymailscam1-thumb.jpg
Click to Enlarge

....though the pills (instead of TVs and MP3 Players) sort of give it away.

However, scroll down and just under the plethora of pills, we have...

http://blog.spywareguide.com/upload/2007/08/ebaymailscam2-thumb.jpg
Click to Enlarge

.....a collection of entirely genuine links to EBay, which will teach you all about "protecting yourself from spoof (fake) EMails".

There's humour in there somewhere.

I recently had an interview with SiliconValley.com - here's the full piece, which focuses on the ever present danger from social networking and the new phenomenon of 419 Scammers targeting property websites.

It seems like EMail spammers have tried every attachment under the sun lately, but here's something I got this morning - an .FDF file bundled in with Spam mail:

http://blog.spywareguide.com/upload/2007/08/fdf_spam-thumb.jpg
Click to Enlarge

An .FDF file is a text file format used for data exported from .PDF form fields. They're usually smaller than PDF files, because they only contain form field data, not the entire form. The content in the attachment was just the usual garbage relating to the "latest hot stock picks".

Nice.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in August 2007.

Christopher Boyd: July 2007 is the previous archive.

Christopher Boyd: September 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.