Christopher Boyd: October 2007 Archives

The last few days, we've noticed a number of Myspace profiles hacked. Nothing unusual there, you might think - however, this approach is somewhat different.

Why?

Because the attackers only seem to be hacking the pages of various rock bands, overlaying them with a huge "background image" that covers a sizable chunk of the page then either tries to redirect you to fake Media Codec installs, or (as far as we can tell from the messages being posted on some Myspace Bulletins) Phishes your Myspace login details. Check this out:

http://blog.spywareguide.com/upload/2007/10/myphish1-thumb.jpg
Click to Enlarge

It's a page for a band called "A New Dawn" - notice at the bottom of the screen, there's a .cn URL - that's where all the action takes place. From there, the attack seems to rotate between exploits, fake Media Codec installs and apparent phish attempts. Shall we look at the code?

myphish2.jpg

Note the "background image" is a URL. This isn't the only band to have been hit by this:

myphish3.jpg

...and, if we look at some of the comments left on their pages, it's obvious that the attackers aren't too concerned who notices it:

http://blog.spywareguide.com/upload/2007/10/myphish4-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/10/myphish5-thumb.jpg
Click to Enlarge

If you check out the steps made in a typical hijack, this is what happens on your PC:

5point5.jpg

If you check the source code for the final step of this particular journey, you'll see this:

myphish7.jpg

..from this "movie site" comes - you've guessed it - a fake codec installer:

http://blog.spywareguide.com/upload/2007/10/myphish8-thumb.jpg
Click to Enlarge

Install this, and you're only a few moments away from "security toolbars":

http://blog.spywareguide.com/upload/2007/10/myphish10-thumb.jpg
Click to Enlarge

....desktop wallpaper hijacks, rogue security applications giving dire warnings of infection and who know what else. More alarmingly, there have been a few people on Myspace claiming that their accounts have been "phished" after clicking into one of these hacked pages - indeed, there are already a number of bulletins floating around regarding this issue:

http://blog.spywareguide.com/upload/2007/10/myphish11-thumb.jpg
Click to Enlarge

...so there we have it. Targeting nothing but Myspace band profiles is an interesting tactic - hack one of the more popular bands, and a steady stream of potential victims will be winging their way to your hijack of choice. As the overlay covers most of the page, it doesn't leave the end-user with much margin for error. For what it's worth, we detect this as BandJammer.

Rock and roll - it'll be the death of you....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Normally a piece of spam on Myspace all depends on it pretending to look like something other than what it is. Right? That's just common sense. So I can't tell if the rash of similar spam hits I've had in the last few days is the spammer being honest or just plain bored.

http://blog.spywareguide.com/upload/2007/10/staci_spam-thumb.jpg
Click to Enlarge

Do you think the following website is all sweetness and light?

http://blog.spywareguide.com/upload/2007/10/yhgames0-thumb.jpg
Click to Enlarge

.....well, now that you mention it....

http://blog.spywareguide.com/upload/2007/10/yhgames00-thumb.jpg
Click to Enlarge

....whoops. Still, it's worth noting that, as with so many of these infection files, you DO sometimes get a few chances to redeem yourself before everything goes pear shaped:

http://blog.spywareguide.com/upload/2007/10/yhgames000-thumb.jpg
Click to Enlarge

Mind you, this would be a pretty boring blog entry if we did the sensible thing and failed to run the executable, right? Run it, run it, I hear you cry.

Well, okay then, just for you I'll run it...this is what ends up in your System32 Folder:

yhgames0000.jpg

One of the files made reference to IFRAMES inside the code - never a good sign:

yhgames00000.jpg

The page mentioned wasn't available during testing, so it could have been trying to load pretty much anything at all, from dubious advert to rogue executable. Who knows. What we do know, is that when everything is done and dusted, you're left with references to Browser Helper Objects:

yhgames0000000.jpg

...Winsock Layer hijacks...

yhgames00000000.jpg

...and a rogue service:

yhgames000000000.jpg

....that's a lot of hoop jumping to monitor what websites you're visiting, but oh well.

YHGames - no fun, no games.

.....well, not just DRM, but a lot of issues currently surrounding the music industry in general, too. Presenting - A Brief History of Rock and Roll Suicide.

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:

ikatzu6.jpg

The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called Artella.biz. However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "Upads.biz", so off we go to have a look:

http://blog.spywareguide.com/upload/2007/10/ikatzu1-thumb.jpg
Click to Enlarge

...is it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:

http://blog.spywareguide.com/upload/2007/10/ikatzu2-thumb.jpg
Click to Enlarge

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:

http://blog.spywareguide.com/upload/2007/10/ikatzu3-thumb.jpg
Click to Enlarge

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:

http://blog.spywareguide.com/upload/2007/10/ikatzu4-thumb.jpg
Click to Enlarge

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:

ikatzu88.jpg

Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....

ikatzu9.jpg

...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:

ikatzu200.jpg

...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panam?, Rep. De Panam?."

....is it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....

http://blog.spywareguide.com/upload/2007/10/ikatzu500-thumb.jpg
Click to Enlarge

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application.

......be honest, did you think I was going to say anything else?

Q Nyx - Popup Heaven

| | Comments (0)

Here's an interesting one from China.."Q Nyx". No idea what that means, but it isn't good if you get it on your PC. Your computer won't go into meltdown or anything, but you will see a lot of popups. It's a fairly standard hijack, with a whole bunch of files dumped into your System32 Folder:

http://blog.spywareguide.com/upload/2007/10/qnyx3-thumb.jpg
Click to Enlarge

From there, generic popups windows and slightly porntacular images are the order of the day:

http://blog.spywareguide.com/upload/2007/10/qnyx4-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/10/qnyx5-thumb.jpg
Click to Enlarge

A number of security programs are mentioned in the code of one of the executables, which would seem to indicate it's going to try and tamper with them:

qnyx1.jpg

....never a good thing, really, is it?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

My colleague Chris Mannon recently came across a file that contains all sorts of Botnet fun and games, along with a fair amount of spam related action into the bargain....and final tie-in to a familiar face. Shall we take a look?

Of course.

I always like to get a look at the file sitting all harmless and stuff on the desktop - don't you? I hope so, because here it is:

dsdata1.jpg

It should come as no surprise that both files are "in use" by another application and you can't delete them via normal methods.

...yeah, it's not doing much yet but it does get more interesting. If the end user is duped into running the executable, it vanishes and deposits two files into the System32 Directory:

dsdata2.jpg

That's not all - I mentioned Spam, right? Well, while running, it has the ability to manipulate mail in Outlook (spam, spam, spam, spam) and specifically looks for Opera Mail usernames and passwords.

Can you guess what kind of Spam it sends?

dsdata4.jpg

....yep, it's related to our "good friend" The Storm Worm, because "Get Krackin" is the latest scam to come out of the Storm Stable.

We detect this bundle of joy as DSData.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

Skype were good enough to notify us about something they recently came across, and the results are pretty interesting. To kick things off, here's a victim complaining about the infection on the Skype forum.

....read that? Okay, cool. Then let's begin:

skypedef1.jpg

As you might have guessed, that's the executable sitting on your desktop. Run it, and you'll see the following:

skypedef3.jpg

...oooh, the promise of plug-in excitement! However, what you see next should give the game away. Note the amazingly out of place login button on the fake Skype application:

http://blog.spywareguide.com/upload/2007/10/skyepdef4-thumb.jpg
Click to Enlarge

If you enter your login details, you'll be handed a "Your details aren't valid" message:

http://blog.spywareguide.com/upload/2007/10/skypedef2-thumb.jpg
Click to Enlarge

....at which point, your login credentials have been sent back to base. We detect this as Skype Defender - do yourself a favour, and ONLY download applications related to Skype from the official Skype website.

It's worth remembering that it's not just social networking sites like Myspace that get all the hacker-style attention. Recently Friendster has had its fair share of wobbles, too.

From about July to August of this year, a virus was doing the rounds called "Saviour of the Seoul", which (at first glance) would likely seem to be a calling card for Korean hackers. Now, because I happened to do my University Dissertation on 20th Century Hong Kong Cinema - don't ask - I can add a little bit more to the thinking behind this, because I know that "Saviour of the Seoul" is a sly reference to a particularly crazy film from the early 90s resurgence of HK Cinema, called - obviously enough - "Saviour of the Soul" (minus the "e"). It makes no sense whatsoever, but it's very pretty. Anyway, for no good reason, our leet hax friends decided to name their virus after this film. If you had this appearing in your profile page code:

savioursoul.jpg

...then you'd have the words "Saviour of the Seoul" sitting in the bottom corner of your profile, quite often while the rest of the page remained blank. The only way to fix your profile at that point would be to scrub everything and start all over again.

There also seemed to be a slightly different version of this attack, where you'd have an image file placed on your profile instead:

savsoul1.jpg

...don't those Smileys look grumpy?

Anyway, over here, we have an apparent redirect to a .za domain. And finally, we have a rash of comments being posted to profiles that seems to say "hello", seemingly mixed in with some choice insults. To date, this final profile attack is still ongoing - we're looking into it, and will report back with any new findings...

Crazy Discussion

| | Comments (0)

I'm not a fan of double-posting material both here and on Vitalsecurity.org, but I did think it worth giving a repeat mention to the fact that there's all sorts of action going on in the comments section of this blog post on the Sunbelt Blog. Well worth a read.

I've been offline most of last week due to my testbox pretty much exploding, and am currently stuck with using dialup to get online.

And what a horrendous experience it is. It's sort of strange to think we were all stuck using this not so long ago, and it's easy to forget how infuriating a PC hijack would be if still on dialup. I've tested pretty much every kind of PC hijack imaginable, and even in the worst case on broadband, I was still able to browse the Net. Sure, the browser itself would usually take about five minutes to open up due to all the garbage installed, but once running, you could view web pages in a fairly functional fashion (well, apart from the occasional redirect to a gambling website or whatever).

Hand someone the same situation while on dialup, however, and I don't think they'd have much of a choice but to clean up. A few browser redirects and maybe an additional popunder browser / window while using broadband isn't generally going to make much of a difference to a DSL user, but apply the same scenario to someone on a dialup modem (where every last kb counts) and you're not going to get very far.

Now, I do know people who have all sorts of junk on their computer, but don't bother to get their PCs cleaned out because, in their own words, "I can still get online" thanks to their broadband.

Maybe we should stick them back on dialup for a week....

About this Archive

This page is a archive of recent entries written by Christopher Boyd in October 2007.

Christopher Boyd: September 2007 is the previous archive.

Christopher Boyd: November 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.