Christopher Boyd: March 2008 Archives

Hopeless EMail Phish

| | Comments (0)

Subject: Dear Webmail Subscriber Confirm Your Account.

Body: "Dear Webmail Subscriber,

To complete your Webmail account, you must reply to this email
immediately and enter your password here (*********)
Failure to do this will immediately render your email address
deactivated from our database.

You can also confirm your email address by logging into your webmail account.

Thank you for using!
THE SUPPORT TEAM
WEBMAIL SUPPORT
Confirm Your E-mail Address"

I see some poor phish mails, but this one doesn't even attempt to make sense. Not only is it a bad idea to tell someone to "confirm their account" when they've already been using it for four years(!), telling them they can "confirm their email address by logging into your account" is sort of redundant considering they'd have to be in it in the first place to see the mail. They don't even link to a phish page - the mail might as well just say SEND US YOUR LOGIN, THANKS!

Oh wait, it does.

A quick Google search on the domain extension for the Email used in this scam (@j-mail.info) reveals a prior history with regards email missives. Fake lotteries, grant awards, 419 references - as always, steer clear.

I think it's safe to say EBay has a bit of a problem where insanely high fake bids are concerned. From this mornings listings....

pspreload1.gif
pspreload2.gif

Whoops.

There is a theory circulating that claims the bidders in these cases are actually established EBay members who think they've spotted a scam auction, and so register anonymously to place stupidly high bids - at which point, they ruin the auction and cancel their sock-puppet accounts. Upon closer investigation though, the auctions didn't seem any different to any other auctions on EBay.

The plot thickens...

"I wonder what will happen when every rabid Dreamcast community, every "blog" on the internet, and every message board, realizes that someone has setup the above domain name in an effort to scam the Dreamcast fanbase for google ad hits and affiliate points at play-asia." - An Angry Gamer, on the Internet

It seems like the recent Dreamcast Phish story flew right by a lot of people, but if you had any love for Segas ill-fated console - and screenshots of my still-working console running Shenmue 2 will tell you that I did and still do:

dc1.gif
dc2.gif

.....then you can't help but have been swept up in the wave of nostalgia that hit last week.

Why?

Well, it's coming up to the tenth anniversary of Segas masterpiece, and naturally, there's a HUGE fanbase out there expecting everything from a small celebration to the announcement of a new Dreamcast console. In fact, it wasn't too long ago that Sega making some changes to the logo caused near pandemonium amongst gamers.

I swear, they're just doing it to mess with our minds.

Anyway.

It seems the Sega owned domain "Dreamcast.com" had long since been abandoned by them (though the Whois details have seemingly never been altered from the original Sega specific contact information), so with the Tenth Anniversary coming up, what better time than for some unscrupulous scammer to get in on the act with some Phishing antics? Sure enough, anyone visiting the Dreamcast site a week or so ago would have seen something like this:

dreamphish.JPG

That would have been enough to send hordes of over-excited gamers into a frenzy. Seriously. It would be like aliens suddenly deciding to send us a "hey, we're out here" message, or the crew of the Marie Celeste turning up on your doorstep wondering what all the fuss was about. Maybe I'm over exaggerating a bit, but wow - I nearly fell off my chair when I heard that the Dreamcast site had suddenly been updated after years of nothing. For the real hardcore gaming fans out there, a similar effect could probably only be achieved by news of the Gaming Intelligence Agency suddenly being resurrected.

Yes, I'm sure half of you don't remember that site but never mind.

Luring you in with the promise of an official @dreamcast.com Email address, they asked for your serial number, desired username, password and a current Email address. Once registered, you would end up with a seemingly valid yourserialnumber@user.dreamcast.com address.

The only problem, of course, was that it wasn't SEGA sending out your details, it was the scammer who had grabbed the domain name. The theory is that people would likely use the same password for their desired Dreamcast address as the alternate Email address they provided when signing up to the "service". Thus, you would have spam lists and hijacked email addresses galore.

It didn't take long before SEGA denounced the site, and it was pulled offline shortly after. In retrospect, a dead giveaway should have been the fact that the site had Google Ads and a few other things on it (check out the rather small screenshot) that probably wouldn't have been there if SEGA had actually been in charge. SEGA almost certainly wouldn't have had a Play-Asia affiliate code embedded in the page, for that matter:

affcodedc.gif

...argh.

If you weren't there at the time - if you didn't take to this console the way so many gamers did (and still do,even today) - you probably wouldn't have the same nagging feeling as I do, that someone, somewhere, just kicked your puppy into outer space.

Yes, I am pretty annoyed by this.

You can bet a legion of gamers are, too. As one gaming website put it:

"Gaming Target will fill you in on the identities of the scammers if their names (and hopefully addresses) are published."

When you annoy even the mainstream gaming media websites to the point that they're hoping to hand out names and addresses for some vigilante justice, you know you've screwed up royally. I'm not claiming to have waited more than a week before publishing this article simply to see if I could post some triumphant pictures of the culprits being hauled off for ten rounds with Sonic the Hedgehog in a really horrible jail somewhere, but, well, you know.

Annoyed and all that.

Interestingly, this isn't the first time a SEGA domain has been obtained and used for strange and / or dubious purposes. For whatever reason, they don't seem to want anything hanging around that reminds them of the Dreamcast, and a while back something similar happened with the official Shenmue domain. It really baffles me why they would be interested in keeping the Trademark for the dreamcast up to date, while letting the domains slip away from them to be used for things like this. Here's what happened, courtesy of some random guy on the Internet:

"Sega couldn't care less about Shenmue or Dreamcast right now, so they let most Dreamcast-related domains expire. More than a year ago (can't remember the exact date) the shenmue.com domain expired. Someone registered the domain and uploaded a mirror of the then defunct Shenmue site. Since Shenmue Passport also connects to a shenmue.com subdomain, he managed to get Shenmue Passport partially working (all the download functions which had been previously mirrored by the community worked). He posted a message on Shenmue Dojo saying something like "hey guys, like at this, Sega is bringing Shenmue Passport back online". The user would then check he could indeed log in succesfully to Shenmue Passport, and be greeted with a "We're bringing back Shenmue Passport, stay tuned" message.

Now, if he had been a serious person, he would have told people "I just registered the shenmue.com domain and I think I can bring Shenmue Passport online, even though it's totally unofficial, but this is as good as it gets". Instead, he pretended to be Sega.

He registered the shenmue.com domain using his very own name (in case anyone is curious, he's from Colombia). He later changed it to make it look more legit. And I'm almost sure I saw him doing the very same thing with the dreamcast.com domain (first using his name, then changing it to someone from Sega).

It's the second time something like this happens to the Dreamcast community and it sucks."

You said it man, you said it.

Maybe we should have a whip-round and buy them the domains back as a tenth anniversary present.

Now if you'll excuse me, I have to go get my hopes up some more for the sure-to-come announcement of a Dreamcast 2...

See if you can spot what's wrong with the following picture, a snap of an EBay auction for a PSP:

ebaypsp1.gif

If you had said, "someone has bought it for over a thousand pounds" then you would be right. In addition, the winner seemingly has good feedback (a score of 111!)

What went wrong here? Well, it all seems a little tangled but let's check out the previous bids. Here's a shot of the auction with eight minutes to go (and we're already in the land of silly prices):

ebaypsp2.gif

Note that the person winning has the less than spectacular name of "Bidder 9". Shall we see who our bidding buddy is?

http://blog.spywareguide.com/upload/2008/03/ebaypsp3-thumb.gif
Click to Enlarge

..there's a surprise, they've been registered for less than a day. Ten items bid on in total, three bids on the PSP, all categories bid on involve electronics and generally expensive equipment.

If it had stayed like that and our clearly fake bidder had "won", that would be the end of it. However, as we can see, someone with a very good EBay score stepped in at the last minute and inexplicably put in a (completely crazy) bid. Shall we look at the individual bids on the auction?

ebaypsp4.gif

As we can see, everything is normal until Bidders 8 and 9 arrive on the scene, throwing the price up to ?500. Then, right at the end, the supposedly "normal" EBay user adds an extra slice of cash (bring things to the ?1019 mark), ending up with a grand total of ?1,550.

Now ask yourself - does this look like the profile of a scammer?

http://blog.spywareguide.com/upload/2008/03/ebaypsp5-thumb.gif
Click to Enlarge

The answer, of course, is no. A long history of buying and selling, only one piece of negative feedback, and good overall scores. In fact, someone has left feedback today after receiving an item from this person. In all likelihood, this person has been phished and been used in a (fairly crude) fake bidding war. At a guess, the account hijackers would attempt to get the seller to accept payment by cheque or some other method, while seeing if they could get the item sent out before payment has arrived - using the rather large payment in waiting as a bargaining chip.

Of course, I contacted the seller and pointed out that the huge finishing total probably didn't mean this was his lucky day - he seemed fully aware that this was a scam of some description, but better safe than sorry....

I'm still trying to process this to be perfectly honest, but one of my close contacts has confirmed there is someone going around either hijacking, hacking or phishing user accounts on Facebook, then randomly uploading pictures of child torture to their photo albums and / or funwall.

.......yeah, that's messed up right there.

So far, I have one definite confirm on at least two accounts that were taken over (most likely by the same individual), one of which had the child torture pictures uploaded to it and the other - well, it wasn't child torture but it nearly cost someone their marriage, according to my friend.

This happened a few weeks ago, and Facebook apparently haven't replied to the person who raised it with them yet. I've also heard a few mutterings about other accounts taken over with extremely dubious content posted to them, but nothing confirmed on those yet.

Obviously, if you're at work (or even at home) and you suddenly click into the kind of material mentioned above, you could get into all sorts of trouble real fast. While I'm not about to suggest everyone jumps out of Facebook right this instant, I would advise extreme care with your login credentials while this lunatic is on the loose.

My friend (who reported the hacked profile that was on his friends list) has confirmed the lady who was hacked didn't save any of the images (which is understandable, really). So no blanked out screenshots to show you - if we get confirmation of these postings, we'll update with more information as we get it...

/ Update - As I've said here, this is NOT a "wave" of attacks, merely two profiles that have apparently been tampered with. Remain vigilant, but please, no need to start panicking.

There comes a time in every script kiddies life when they think, wow, I need to make some horrible infection files. Of course, there are people out there who cater to these desires with increasingly slick infection creation tools. Take this one, for example:

uvl1.gif

Firing up the application presents you with this:

http://blog.spywareguide.com/upload/2008/03/uvl2-thumb.gif
Click to Enlarge

The interface is extremely slick and even has a panel where you can get updates on the latest news. Currently, it says (translated from German):

"Version 2

Sun. Version 2 is finally Releast. Done a lot, we have given you the Stealen as simple as possible.

Added to V2:

-- Email function now Dynamic
-- Skin Changer
-- News window
-- Improved Method Steam Steal
-- PC Info Stealing
-- Icon Changer
-- Delete server after launching "fixed.
-- "Hide server after Launching"
-- "Invisible server in Task Manager"
-- "Kill Antivirus System"
-- Server Downloader erstellbar

Here, the anti-virus Kill List: http://xxxxxxxxxxxxxxxxxx"

Yep, there's an anti-virus kill list (quite a large one, too). Here's a small portion:

http://blog.spywareguide.com/upload/2008/03/uvl3-thumb.gif
Click to Enlarge

The "Extras" folder contains a number of fake icons you can use for your brand new infection file:

http://blog.spywareguide.com/upload/2008/03/uvl4-thumb.gif
Click to Enlarge

As you can see, there are numerous avenues of scammery and social engineering you can pursue when using this program. You can tell it to target certain kinds of user data to steal, delete the file once activated, disable firewalls and task manager - they even include push-button access to take you to sites where you can create email addresses / server accounts to send stolen data once obtained. Here's my infection file:

uvl5.gif

Once the file is run by the victim, they'll see your custom-made error message to make them think they simply have a faulty download:

uvl6.gif

At that point, the infected PC is all yours and you can beam home the data to the accounts specified in the application:

http://blog.spywareguide.com/upload/2008/03/uvl7-thumb.gif
Click to Enlarge

...or at least, it would do if it didn't break every time it attempted to send home stolen data:

uvl8.gif

Hopefully, this crippled EMail functionality will lessen the damage done in terms of stolen personal information from the PCs of victims. At least for a while...

Yet another site has popped up, offering to tell you if your MSN Contacts have blocked you. In this case, an email was sent to me by one of my contacts, directing me to "hasdoneit(dot)com"

hdi0.gif

Note that it mentions it will tell me who has blocked me - this will be important later on.

As soon as I hit the page, a (fake) MSN Messenger box popped up in the bottom right hand corner with a pornographic web-cam image in it:

http://blog.spywareguide.com/upload/2008/03/hdi1-thumb.gif>
Click to Enlarge

Different images continue to cycle if you remain on the page. As I typically see these kinds of sites aimed at teenagers and younger children, this is obviously some cause for concern (clicking the image leads you to a hardcore webcam site).

Terms and Conditions for this kind of site are always confusing at the best of times - in this case, you have to read a ToS translated from its original language.

Nope, I've got no idea what they're saying either. If your contact enters their login details onto the website, they'll suddenly look like this on your MSN Messenger contact list:

hdi2.gif

The "results" they'll see on the website will look like this:

hdi3.gif

Note that it says who has deleted you, who you no longer have on your list (wouldn't you already know this by virtue of the fact that you deleted them in the first place?) and who YOU are blocking (again, wouldn't this be rather obvious)?

It does NOT reveal "who is blocking you" as the Email claims, because I tested this with two addresses (one of which was blocked), and nothing told me that this was the case. There doesn't seem to be any icon or indicator used on their results page to indicate who has you blocked, either which seems a little peculiar.

I've said it before, and I'll say it again: NEVER enter your MSN Messenger login details onto a website that isn't a part of Microsoft. At best, you're opening yourself up to spam and adverts being sent from your account; at worst, you face a total hijack and permanent lockout from your services. The Siteadvisor coverage of the site isn't very promising, and as one reviewer says, why would you willingly hand over your login details to a site registered anonymously via Domains By Proxy?

Myspace hacking tools are a magnet for wannabe script kiddies and leet hax0rs. Here's the latest one I've seen in the last couple of days:

fmshk1.gif

....ooooh. But wait, it gets better:

fmshk3.gif

I've no idea who "Paul & Nick" are, but they'll probably attract a fair amount of people to this application (that weighs in at a tiny 24kb in size) before they realise it's a fake. Enter the Myspace page that you want to target (or leave it blank!), hit the "Hack" button and....

fakeshutdown1.gif

Whoops. Thanks to a line of code that says this:

00002A24 00402A24 0 shutdown -f -s -t 0

...the PC (as you probably already guessed) does indeed shutdown:

http://blog.spywareguide.com/upload/2008/03/fakeshutdown2-thumb.gif
Click to Enlarge

No lasting harm is done to any PC that the file is run on. We detect this as Myspace.Shutdown.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Observed being fired around via mail, private message, posted directly onto profile pages....

chainletters.gif

An emotional plea from the heart, except that there's no mention of how this works, how anyone is tracking the number of messages sent through Facebook and turning it into money, where it's donated to, why it's talking about "Email" when it's actually being posted onto FunWall applications on Facebook...etc.

Here's another chain letter observed in November - I wonder how many more are out there?

The 30 Second Phish

| | Comments (0)

I spend a long time taking down websites overpopulated by script kiddies and wannabe hackers. Mostly, the people on these sites are running wild with no real clue as to the seriousness of their actions until they get caught - at which point, they invariably beg for mercy and suddenly grow a conscience. Many hardcore phishers I see, for example, are anything from 11 years of age and up. They seem to get younger all the time - why is this? Well, the demand for custom made phishing tools plays a large part in this as the programs spring up on hacking sites, trickle down onto the more general "gaming and coding" sites (that usually host a hacking section) before winding up on the script kiddy sites.

Today, we'll take a look at one such application. The ease with which this program can be used to generate fake login pages is truly frightening, yet not at all uncommon. We'll begin, as we do all too often, with a wonderfully hypocritical "disclaimer" on the program EULA (yep, phishers come with EULAs and scrolling credits that roll up the screen nowadays):

dfish1.gif

The text reads:

"The Author Of This Program Is NOT Responsible For ANYTHING You Do With This Program, I encourage you not to use it. It was only created for educational purposes and to demonstrate how web pages are vulnerable. If you EVER see a phisher please report it.

This is just a quick disclaimer. I want to get straight to the point, PHISHERS ARE ILLEGAL. Well they're not illegal Per Se, but it depends how you use them and I would like to give you a little memo so you dont get yourself in ANY trouble.
If you use this program in order to create a fake web login in order to gain someone's password that is Illegal and against the law and can get you a sentence in prison. Do not create a phisher of any website without the owner of the website's permission.

For More Information On Phishers Go Here."

I've always wondered how someone that created a tool specifically to perform illegal actions is somehow not responsible for the actions of the people they distributed it to. Oh, but of course we have those wonderful caveats - "for educational purposes only" (you need to make a fake login, upload it then steal someone's login details to educate yourself that "people can make fake logins"? Couldn't you just be told that instead?) and my other favourite, "Do not create a phisher of any website without the owner of the website's permission".

This begs the question, and it's a very obvious question, but I'll ask it anyway.

Why would anybody ever give you permission to make a fake login of their website?

Oh well, let's see what it does anyway.

dfish2.gif

Talk about being idiot-proof. Yes, that really does say "Click the numbers for the details to be read out aloud". Double click the Begin marker, and you see this:

http://blog.spywareguide.com/upload/2008/03/dfish3-thumb.gif
Click To Enlarge

At this point, you take the code from the source of the page you want to spoof, paste it into the program, push a button and tell it where you want your fake login to redirect the victim to once they've entered their details:

dfish5.gif

...job done, and you've created a perfect Phish page in 30 seconds or less. It even places your fake login page in an upload folder for you, just to ensure you don't screw up at the last minute and wonder where it went. Here's my fake page:

dfish7.gif

Worrying, isn't it? Hopefully you can see exactly why kids are getting into phishing in a big way at such a young age with programs such as these around. This is just one example in a very big collection of Phishers currently in circulation - and a steadily growing audience eager to try them out will ensure they're around for a long time to come.

The AIO Scene

| | Comments (0)

I thought it might be interesting to take a wander down the backstreets of the AIO Scene (as you might have guessed from the title).

Of course, first I'll explain what the AIO scene actually is (which will probably be helpful!)

From Wikipedia:

"All-in-One (AIO), also known as #-in-1, CD-ROMs or DVD-ROMs contain more than one application on the disc. Typically, this would simply be different editions of the same version. AIOs are normally created by warez groups in order to save time to download and upload software, while giving a large collection of editions at the same time."

As you might have guessed, there's a huge selection of disks out there with all sorts of weird and (not so wonderful) programs on them. Here's a typical CD:

AIOdisc1.gif

....mmmm, full of Underground badness. A lot of care and attention goes into the design of the CD presentation - in fact, a lot of the time, the presentation is more interesting than the old and mundane applications bundled on the CD. Here's what you'll typically find if you explore the CD:

http://blog.spywareguide.com/upload/2008/03/contents-thumb.gif
Click to Enlarge

And here's what you'll see if you explore the contents the way the CD creator intended:

http://blog.spywareguide.com/upload/2008/03/AIO6-thumb.GIF
Click to Enlarge

Notice it also has a soundtrack playing in the background - not uncommon.

Here's a Matrix effort:

AIO7.GIF

Unsurprisingly, you get a lot of these. Next up, a "Vista style" production:

http://blog.spywareguide.com/upload/2008/03/AIO1-thumb.GIF
Click to Enlarge

A crude but functional DDoS pack:

AIO3.GIF

An even cruder "Credit Card Generator" pack:

AIO4.GIF

An extremely ugly looking frontend for a hackpack designed to exploit Windows in various illegal ways:

http://blog.spywareguide.com/upload/2008/03/AIO5-thumb.GIF
Click to Enlarge

Here's an AIO from the Greek Hacking Scene:

AIO81.gif

The creator of this particular AIO has a thing for stuffing his package with as many scantily clad females as possible:

AIO82.gif

Speaking of which, not all AIOs are strictly related to hacking. Here's a porn AIO stuffed with pornography related programs and tools:

AIO2.GIF

I'd show you more examples of AIOs, but you're probably seen enough badly designed interfaces to last you a lifetime now! Hope you enjoyed our little stroll through the AIO Scene. Of course, we've hardly scratched the surface so we might come back at some point for another tour of duty...

Wayne Porter often talks about virtual worlds - indeed, I was roaming around in The Matrix Online for the longest time (with occasional rants about how bad it was) - but here's an odd proposition.

Don't pay for your web-hosting with real money - pay for it in Habbo Hotel Credits and Furniture instead. From the site in question:

"Habboshosting has been around since November 2006. Since then it has been dedicated in offering the highest quality hosting and will continue to do so into the future. We offer a unique oppotunity for any habbo and every habbo to easily buy web hosting, via credits and Furni!"

It's the first time I've looked at hosting packages and seen 5000MB of bandwidth and 500MB of disk space offered for five Habbo credits. I'm not sure how the host could make money from this, but I guess they must do if they've been around since 2006. Perhaps Habbo fan sites don't take up many resources or something. At any rate, one of the stranger things I've seen this week...

It's been a while since we looked at something from China, so let's get on with things.

zzt1.gif

What will spring out of this executable file, I hear you cry. Hijack? Blue screen of death? Click fraud tool? Well....

zzt2.gif

.....not exactly. Can you say "ZZToolbar"? Yes, it's time to get all retro and welcome a humble (and utterly confusing) toolbar onto your PC. Shall we take a look?

http://blog.spywareguide.com/upload/2008/03/zzt3-thumb.gif
Click to Enlarge

Yep, that's definitely a toolbar. Clicking the button on the left clues us in to the fact that this has some kind of website ranking fuctionality built into it:

http://blog.spywareguide.com/upload/2008/03/zzt4-thumb.gif

The toolbar can also open up a number of search engines, like most toolbars:

zzt5.gif

....and that's it, really. I'm not complaining - it makes a change from writing about a seemingly endless stream of tools designed to cause mayhem. I'm sure it won't be too long before I have something nasty to write about though...

I'm not claiming to understand everything in this post - because I don't - but it's well worth wrapping your head around, as Wayne Porter provides a lot of food for thought with regards the current state of the Advertising industry and the danger of playing in Ecosystems.

Check out the Securitycadets forum, where someone who (supposedly) works for a program labeled as a rogue-antispyware tool has turned up demanding to know where the "malware that comes with the download" is installing from. So far, he doesn't appear to be forthcoming with regards anymore information about himself, which is kind of suspicious. These kind of appearances by promoters of such programs tend to fizzle out quite quickly, as

A) Everything they say is refuted in spectacular fashion and
B) They never want to say anything of interest anyway.

Still, worth keeping an eye on.

Here's a program that seems to be all the rage at the moment - "Internet Exploiter". It does exactly what it says on the tin. Here's what you have after install:

iexploir1.gif

Some interesting links are placed there - aside from the obviousness of placing links to hacking sites related to the program, there's also a link to a hosting company, which is a touch....bizarre. It's also good to see that sites are still carrying the warning about the (completely fake) Internet Privacy Act of 1995.

iexploir2.gif

In case you were wondering, "File.html" appears to be a bonus feature thrown in at no extra cost in the form of a phpBB spamming tool:

http://blog.spywareguide.com/upload/2008/03/iexploir3-thumb.gif
Click to Enlarge

Run the main program, and the creator helpfully clues you in on what to expect:

iexploir4.gif

Nice(!)

Finally, we come to the application itself, which (after all the initial build-up) is a strange mish-mash of tools and add-ons.

http://blog.spywareguide.com/upload/2008/03/iexploir5-thumb.gif
Click to Enlarge

Automated ways to search for "vulnerable" online web-cams, booters, more forum exploit searches, a Yahoo profiler and a Bandwidth KIller are some of the "features" of this application. After testing, it doesn't appear to be as automated as it likes to appear - many functions here don't seem to work by simply pushing the buttons, which is exactly what the average script kiddy is hoping for.

Looks like we can call off the "We're all doomed" parades for the moment....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

It seems Skype Spam promoting rogue antispyware tools is still going strong. This was sent to a colleague of mine yesterday:

soft_alarm.gif

Never visit the sites promoted by these kind of tactics. A world of popups and pushy marketing tactics will be unleashed upon your desktop if you do.

Just a quick note to mention that I've seen this floating around various facebook pages (usually in the comments sections of profile pages):

altf4.gif

I should stress, there's no indication of this being posted as a result of an infection or anything like that, but it does seem curious that people would start randomly posting the above on their friends pages, even if doing such a thing was funny, oh, about five years ago.

For those who don't know what pressing ALT + F4 does, here you go.

Here's an interesting twist on the usual fake profile invites I regularly receive on Myspace.

fcprofs1.gif

Normally, you click the link and are taken to a standard fake profile advertising webcams or something of a similar nature. If you refresh the page, you'll see the same content - just like a regular Myspace profile. Well, in this case the code used by the bad guys means the page is no longer static. Refreshing the spam profile will endlessly cycle through a whole raft of fake overlays and images:

http://blog.spywareguide.com/upload/2008/03/fcprofs2-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs3-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs4-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs5-thumb.gif
Click To Enlarge The Above 4 Images

All of the above pop up on the profile link I was sent (you can see the URL remains the same in each screenshot).

How do they do it? Well, they're overlaying the profile page with a large clickable image, a common tactic that was used in the Myspace band hacks from a while ago. Here's the code:

fcprofs6.gif

In other words, a random image (made to look like a Myspace profile) is served from here:

free-hotwebcam(dot)com/Images/00110/KKD90g4aKKXNSTKhUvj04RO7WQDhw(dot)jpg

And clicking it will take you here:

snurl(dot)com/20h89-holo

Which redirects you to

privaterooms(dot)biz/t-main027(dot)html

...before finally leaving the end-user at the eventual destination of teen(dot)livecamfun(dot)com. The curious thing is, why would you bother to make your spam profile pages dynamic in this way? Once you've seen one, you leave it and don't go back. I can't imagine someone revisiting the page simply because the images keep changing...

This application is made by the same individual who created the Win32.Spin "application". However, this is quite a bit more malicious than opening up a bunch of browser windows. The hacker chooses a PC that they know will be used by lots of different people - web cafe, library, school, wherever. They install their fake application (designed to look like MSN Messenger Live), let the victims run it, then steal their login details.

How do they do it? Well, let's take a look. First of all, the icon for the executable doesn't look too convincing, does it:

fmsn0.gif

If you check out the properties for the application, you'll see something strange:

fmsn1.gif

"Project1-Logs to Text Doc"? That doesn't sound like something a Microsoft application says when you right click it. The plot thickens! Finally, when you run the application, you can't move it around your desktop (it stays stuck to the middle of your screen), or click on anything bar the checkboxes and the "login" button (although obviously, it allows you to type in your username and password).

http://blog.spywareguide.com/upload/2008/03/fmsn2-thumb.gif
Click to Enlarge

After you hit the sign in button, you'll see this error message:

http://blog.spywareguide.com/upload/2008/03/fmsn3-thumb.gif
Click to Enlarge

"Windows Live Messenger can not sign you in right now, please try again later". All lies, of course. What happens now? Well, let's take a look at the code:

fmsn4.gif

Sitting either side of the fake error message, we can see two things. One, the creator is called "David" - always useful to know. Two - the login details should be deposited into a .txt file in the C Directory.

fmsn25.gif

....and there it is! Shall we open it up and take a look?

fmsn45.gif

Success! The password has been dumped into a location where the hacker can easily retrieve it at their leisure. Ah, I hear some of you cry - where can I download this evil program?

Well, you can't. I'm sure it'll be back before long, though...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Anybody out there that uses Twitter will be pleased to know you can now wrap all your security people into a big ball of twitterness (or something) via this handy list. I never thought I'd reach the heady heights of "security twit", but there you go...!

About this Archive

This page is a archive of recent entries written by Christopher Boyd in March 2008.

Christopher Boyd: February 2008 is the previous archive.

Christopher Boyd: April 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.