Christopher Boyd: January 2008 Archives

Every now and again, I see something interesting pop up on Myspace and decide to take a closer look -as you might have guessed, this is one of those occasions. There I was, trawling through some Myspace groups when I happened to see this....

emlspm00.jpg

Check out the site from 2006 courtesy of Internet Archive - it's fair to say these guys could do with a few pointers on interior decor:

http://blog.spywareguide.com/upload/2008/01/emlspm000-thumb.jpg
Click to Enlarge

...if someone asked a toy company to design a hacking site, that might be what they come up with. I guess they realised this too, because if you go there now...

http://blog.spywareguide.com/upload/2008/01/emlspm0000-thumb.jpg
Click to Enlarge

Ooh, scary! Shall we take a look around their "Hackyard"? As you might have guessed, there's not a lot here that would fall under the banner of "ethical hacking", despite their claims on the frontpage. Inside are a collection of (frankly awful) forums, news articles and some other bits and pieces that fail to attract any attention. However...

emlspm101.jpg

"MSN / Hotmail hacking page"? Nice. Click the link, and you're given a number of options to choose from:

http://blog.spywareguide.com/upload/2008/01/emlspm0-thumb.jpg
Click to Enlarge

Hotmail, Yahoo, Myspace, Orkut, hi5 and Facebook are all listed. Select your chosen target, and you'll be presented with a custom-built drop down menu:

emlspm10.jpg

Select the "E-Card" of your choice, enter the Email address of your victim then hit generate - you'll be presented with auto-generated text for your email:

http://blog.spywareguide.com/upload/2008/01/emlspm2-thumb.jpg
Click to Enlarge

At this point, cut and paste the text into your own mail, send it to your target and wait. Depending on the service you chose to "attack", the recipient might see something like the above, or something like this:

emlspm4.jpg

When they click the link, the target is redirected to another domain - of course, they'll be presented with something relevant to the service you're trying to "hack":

http://blog.spywareguide.com/upload/2008/01/emlspm3-thumb.jpg
Click to Enlarge

Phish pages ahoy! They have a number of these all sitting on the same domain:

http://blog.spywareguide.com/upload/2008/01/emlspm6-thumb.jpg
Click to Enlarge

Here's a fake Hotmail login:

http://blog.spywareguide.com/upload/2008/01/emlspm20-thumb.jpg
Click to Enlarge

...and a fake Myspace:

http://blog.spywareguide.com/upload/2008/01/emlspm22-thumb.jpg
Click to Enlarge

The good news is, the domain is flagged as a known Phish host when visiting in Internet Explorer:

http://blog.spywareguide.com/upload/2008/01/emlspm23-thumb.jpg
Click to Enlarge

But wait, I hear you say. How do you get your hands on the phished user details? Well, here comes the clever part. The stolen login details are handily posted to the top of your login screen on Hothackerclub.com:

http://blog.spywareguide.com/upload/2008/01/emlspm11117-thumb.jpg
Click to Enlarge

Note that it tells you numerous pieces of information including number of accounts stolen, the date you did it and the type of service account compromised so the budding hacker can keep a nice running total of their exploits.

So, who runs these sites? Well, Hothackerclub.com is anonymous - however, it looks like someone slipped up with regards the registration for the site hosting the phish pages:

"Registrant:
Digital Studio
47-Tufail Road Cantt Lahore
Lahore, Other 54000
PK

Domain name: GREETING4LL.COM

Administrative Contact:
Sulahria, Muhammad Yousaf yousaf2k@gmail.com
47-Tufail Road Cantt Lahore
Lahore, Other 54000
PK
+92.3334112402 Fax: +92.3334112402"

Of course, "Muhammad Yousaf" is the individual who first posted to Myspace.

Be wary of anything Emailed to you that requires you to login to any of the sites mentioned above - if in doubt, right click the live link in the Email and check what domain it points to. Otherwise, you might end up on a hackers rapidly growing trophy list...

A few weeks ago, we covered Spammers running riot on Myspace pushing ringtones and dating profiles. Have you ever wondered how Spammers go about their daily business? If so, you're in luck because it seems likely that we've pieced together the tools (and domains) used for this very wave of fake profiles.

It all started with a domain I'd been looking at for a few days, which touted a "Myspace Directory" containing numerous text files named after various sections on the typical Myspace profile - "Gender", "Interests", "Heroes" and "Movies", to name but a few:

http://blog.spywareguide.com/upload/2008/01/myspacebot2-thumb.jpg
Click to Enlarge

Here's a Birthday file:

myspacebot6.jpg

Here's a list of names:

http://blog.spywareguide.com/upload/2008/01/myspacebot3-thumb.jpg
Click to Enlarge

Here's the name for the spam profile itself:

myspacebot19.jpg

And, more tellingly, here's an image file - the profile picture for the spam account:

myspacebot5.jpg

Look familiar?

It doesn't take long to figure out that these different text files are values the Spammers use to populate their fake profiles. But how do they get that data into the fake profiles in the first place?

It all begins with a domain that (for some unknown reason) was left with the Spamming tools sitting on the frontpage of the site:

myspacebot1.jpg

Thanks to a tip from my pal LoLo, I was able to grab the files and take a look inside. The domain hosting these files changes its content on a regular basis. Sometimes it serves you geotargetted adverts, other times it'll hand you an ad for a dating page (the picture of the girl with the laptop has been used on the majority of more recent spam that appears to come from the same group):

http://blog.spywareguide.com/upload/2008/01/myspacebot7-thumb.jpg
Click to Enlarge

And (thanks to the magic of Google cache) we can even see the domain hosting a fake Myspace page:

http://blog.spywareguide.com/upload/2008/01/myspacebot8-thumb.jpg
Click to Enlarge

The example above is overlaid with a redirect that takes you to more targeted adverts. For what it's worth, this particular kind of spam profile has been on Myspace since at least June 2007.

If we take a look inside the first zipfile, we see the following collection of files and folders:

http://blog.spywareguide.com/upload/2008/01/myspacebot11-thumb.jpg
Click to Enlarge

Exploring those folders a little deeper (and faced with numerous .cs files), renaming some of them to .txt files....

myspacebot16.jpg

....allows you to take a peek inside:

myspacebot17.jpg

Once again, we see references to the most common categories on a Myspace profile. As you're about to see, this is hardly a coincidence. From the second zipfile:

myspacebot12.jpg

"Myspace program.exe"? Shall we take a look inside the program before we fire it up?

http://blog.spywareguide.com/upload/2008/01/myspacebot13-thumb.jpg
Click to Enlarge

Well, would you look at that. Not only is the domain with the "Myspace" folder referenced in the code, but (more importantly) all of the individual .txt files that relate to "Birthday", "Books", "Movies", "Interests", "Heroes"....they're all there. Shall we put it all together?

myspacebot15.jpg

This is the tool that apparently makes it all happen. Note the entry box in the bottom right corner - from what we can gather, you enter the profile name you'd like for your Spam profile and hit Start - at which point, it checks out the information provided in the .txt files sitting on the domain, before attempting to contact another part of that website that allows it to create the spam profile on Myspace. At time of writing, the program doesn't seem to work due to a page missing on the domain hosting the spam profile information. Of course, they could bring the page back at any time, but for now, Myspace seems like it may be spared from more fake profiles selling ringtones, dating ads and free iPods.

For a couple of minutes, at least....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

If you happen to be a musician on Myspace, you'd have seen the following update from Tom yesterday:

newmspacehck2.jpg

"we have been working on a new feature that allows bands with over 10,000 friends to automatically approve friend requests to save you some time."

Myspace just made it a walk in the park for Spammers to plaster the most popular pages on Myspace with pill adverts, dubious redirects, porn spam....whatever they feel like. Previously you had to be a friend (added manually) to leave a comment on someone's page:

newmspacehck4.jpg

Not anymore!

Remember the Myspace band hacks from a while ago? These are still taking place, with what looks like a few new malicious domains thrown into the mix (thanks to JetKing for the tip):

http://blog.spywareguide.com/upload/2008/01/newmspacehck1-thumb.jpg
Click to Enlarge

Note the ".cn" domain in the bottom left hand corner. This will of course redirect you to a fake media codec install:

http://blog.spywareguide.com/upload/2008/01/newmspacehck3-thumb.jpg
Click to Enlarge

Considering band pages are a huge target for Myspace hackers at the moment, this new policy - effectively a green light to as much profile spam as you can handle - allows links to this kind of redirect to be pasted all over music profiles with no need for the page owner to approve anything first.

Has this move been brought about by people working on behalf of the most popular artists complaining about the amount of friend requests they have to manually approve? Possible, given the content of a Bulletin sent out by a band (and passed onto me by a contact who received it):

"Title : THERE IS A GOD!!!!!!!!!

Incase you're wondering why I posted this, dear **** band's fans, adding 250-300+ people EVERY SINGLE DAY FOR THE PAST 4 YEARS, hasn't been my idea of a good time. So MySpace has FINALLY listened to the bands moans, mine included! I sent them an email about this late last year and by god, they listened!"

However, the cost of an automated process like this is to give people with malicious intent permission to post whatever they want, whenever they want - simply by starting the ball rolling with a friend request to anyone with more then 10,000 people on their friends list. Of course, some profiles will have comments moderation enabled - but if the people using the auto-add feature are using it to save time in the first place, why would they bother to wade through hundreds of moderated comments too?

Myspace are having enough problems as it is, recently - why add to them needlessly?

Whenever I see someone post "Hey, check this out" on a Myspace profile I just know it's not going to be good for your general wellbeing. Sure enough...

japanese_myspace0.jpg

....anybody wanting to "check this out" will probably be a bit annoyed once they've clicked the link (made to look like it leads you to a video). Why? Oh, I don't know....

japanese_myspace1.jpg

Whoops. Shall we have a look at my all new login screen, courtesy of a mischievous IFRAME?

http://blog.spywareguide.com/upload/2008/01/japanese_myspace2-thumb.jpg
Click to Enlarge

If you're hit by this, don't panic - simply scroll down to the bottom of the page and click the word "International" in the bottom right-hand corner:

japanese_myspace3.jpg

From there, it's just a case of setting the right geographical location for your homepage:

http://blog.spywareguide.com/upload/2008/01/japanese_myspace4-thumb.jpg

Everything should be back to normal once you've done this.

An MSN Worm appears to be in the wild which retains some of the functionality of a worm mentioned here, but with some additional features (such as sending spam, for example).

Initially, it sends the victim a message regarding Myspace (in our testing, this was the only message it sent, unlike the worm linked above which had numerous options to choose from):

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn1-thumb.jpg
Click to Enlarge

Before you know it, you'll be sending lots and lots of spam - I hope your friends are looking for high quality luxury watches:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn2-thumb.jpg
Click to Enlarge

Finally, the payload drops a file onto the computer that attempts to execute remote code - it seems they're attempting to exploit victims with this.

Here's the (randomly named) file in question that causes this, deposited into your System32 Directory:

http://blog.spywareguide.com/upload/2008/01/dumb_in_picture_msn3-thumb.jpg
Click to Enlarge

We detect this as MN.Spooler.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

I saw an article in today's newspaper about a schoolboy who created a sort of DIY Tram hacking kit - there's not much info online about it that I can see, but this is a good place to start.

Truly jaw dropping.

The answer, of course, is a bunch of horrible hackers, according to this article. Meanwhile, here's one group of watchmen that might find it hard to watch anyone for the time being. Or should that be "listen to"...

Here's a strange one - a supposed "Bank Hacking Tutorial" that's actually nothing of the kind. Of course, suspicions should be raised by the fact that the "tutorial" is actually an executable:

bank_hack_tut1.jpg

When running the file, a screenshot takes over the desktop which appears to be a snap from inside someone's bank account containing around $4,000:

http://blog.spywareguide.com/upload/2008/01/bank_hack_tut2-thumb.jpg
Click to Enlarge

Note the tabs at the bottom - "People I've hacked" and a notepad file called "Bank account". Was this all done purely to show off with some bragging rights? Well, sort of...once you close the screenshot, you're met with this on the desktop:

bank_hack_tut3.jpg

A "trial expired" notice for Ardamax keylogger, version 1.6 (currently it's at 1.7). The files are dumped into a numbered folder in the System32 Directory:

bank_hack_tut4.jpg

....and here's the Viewer that runs if you double click AKV.exe:

http://blog.spywareguide.com/upload/2008/01/bank_hack_tut5-thumb.jpg
Click to Enlarge

Now this could be an interesting way to social engineer a script kiddy into running a keylogger on their own PC (hey kid, check out my awesome bank hack tutorial!) - but I can't see it being much use when the version they're dumping onto the PC has expired?

I know it's customary to simply rattle off a "top 10 list" of bullet points related to possible security predictions further along in the year, but I thought I'd rather go into a little more detail with this one. As such, my bullet points are few, but my concerns are many.

What does the year hold? Lots and lots of problems for Myspace, from the looks of it. Don't forget the other Social Networking sites (such as Facebook and Orkut) too. Of course, claiming there will be issues for these sites is perhaps to state the completely and utterly obvious, but we're barely a week into the new year and already we have:

* Fake "friend adds" from someone posing as "Myspace Tom" trying to sell you ringtones;

* Zango in the news regarding an application on Facebook apparently designed to push popup adverts;

* Sites that provide services for Myspace in the line of fire too.

However you look at it, Social Networking is currently where all the action is, and - in the same way that some of the biggest security stories of 2007 were web 2.0 escapades, expect a lot more of the same this year. Although Facebook and Orkut have experienced a surge in recent months with regard malicious (and supposedly "non malicious") attacks, Myspace will clearly remain the breeding ground for new techniques and attacks launched upon end-users.

Myspace shows no indication of locking down the functionality on end-users pages that makes it easy for bad guys to cause trouble, and while the ability to post videos, music and custom backgrounds to your page is appreciated, the problems and security issues these same "bonus features" create is not so welcome.

If there is a major security breach involving Myspace, will they even be able to react in time given the responses I was met with when trying to warn them of an issue recently?

Sadly, it seems like a distant prospect at this point.

Instant Messaging attacks fell under the radar a little bit with regards major breaking stories in 2007, but it's worth remembering that these hijacks are still out there in full force, even if we are all currently dazzled by the slow motion trainwreck that is the world of social networking.

Expect Skype Worms to become more and more commonplace - in fact, these attacks may drop under the radar more than any other, due to the constantly reused infection files by the bad guys. The first part of 2007 brought a flurry of news reports as we discovered a network jumping Skype Worm - however, the current attack of choice continues to be reworked Warezov variants, and this can only mean one thing - lack of coverage and a general sense of "looking for something more interesting" as we all grow tired of Warezov variant number 600,308 rumbling across the Skype network.

Of course, these attacks will still continue to be successful, whether we continue to read about them or not.

With that in mind, it's time to make a few small predictions for the older IM networks - well, one, actually. Expect more custom built infections for geographical areas you wouldn't have previously expected to be exploited. The Singworm (targeting MSN users in the Singapore region) springs to mind. As researchers grow tired of seeing the same old hijacks time after time and start to explore what's lurking in other regions, we'll start to read about new and interesting attacks from further afield. In some ways, that's already happened with regards the area of Adware - as the "old guard" of companies such as Zango, Direct Revenue and DollarRevenue either go out of business or reform, researchers have started to look at the "next generation" of Adware coming out of China.

Sadly, there will be more than enough for us to get to grips with. Indeed, we might start pining for the more straightforward threat landscape we knew and understood as we spend the year being battered by sales pitches in Chinese, EULAs in Korean and hacking forums written in Malay.

Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.

As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the less than amazing response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.

"Anyone got a contact for Myspace"?

Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.

Now, I had no clue what I was looking at but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:

"Domain Account Administrator, Myspace"

"CSR-Tools"

"Account: Retail"

"Billing Information".

These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.

Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.

I tried again this week, and this is what I sent them:

hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).

The screenshot appears to indicate your main CSR account
tools system was compromised in some way - can you confirm
what has happened here? I will be writing about this later
on today on my blog and would prefer to have the full
details as to the extent of what has (or has not!) happened here.

Thanks,
Chris

Can you guess what I got back?

Hello,

Below is a pretty comprehensive overview on blogs presented in an FAQ format. It should answer all the questions you have about blogs.

Q: What is a blog?

A: A 'blog' is an online journal. Blog is short for Weblog. In recent years, 'blogging' or posting an online journal has become very popular.

.....yes, thanks for the handy blogging tips(!)

I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):

Hello,

Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.

......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?

I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?

Little help, Myspace?

/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet.

I sent Myspace this:

"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"

Let me repost my message for a third time"

This is what I got back:


"Hello,

We do not offer that option as it is not available within MySpace."

....I think my brain hurts.

Looks like the Myspace spammers impersonating "Myspace Tom" have realised that calling their ringtone spamming profiles "Tom Anderson" is the quickest way to have their fake profiles deleted.

With that in mind, they decided to change the names given to the profiles.

Unfortunately for them, they kind of messed it up.....

fake_tom_girl.jpg

.....nope.

fake_tom_ringtone22.jpg

As you might have guessed, these profiles that are suddenly springing up all over Myspace are 100% fake. It seems Myspace are aware of these, and are taking actions to have them deleted.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in January 2008.

Christopher Boyd: December 2007 is the previous archive.

Christopher Boyd: February 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.