Christopher Boyd: August 2009 Archives

Today we're going to look at a malicious program that seems to take its cue from the Facebook Freezers I've written about previously. In those cases, the aim is to get a Facebook account banned by repeatedly entering an incorrect password into the login form. Here, the intent is to make using your XBox the most annoying thing in the world.

Here is the program in question:


Don't be fooled by the whole "friend" thing. This is not your friend. Or at least, it isn't if it's pointing directly at you. Assuming the attacker fires it up - and they're not going to leave it sitting on the desktop doing nothing - this is what they'll see:


"Friend request spammer"? This isn't going to end well, is it? Sure enough, simply type in the name of the XBox Live user you want to target on the left, login to XBox Live with your own account using the button on the right and you can begin your mischief. We should see what some of those other buttons do first, though - let's check out the Avatar and Gamercard buttons. In any other program, these might be handy features - but given the "spam attack" nature of this executable it all takes on a slightly creepy stalkerish vibe.

With the Avatar Searcher, you can call up an image that the target uses as their Avatar on XBox Live, additionally giving you the ability to save said images.

Why would you do want to save these images? Who knows. Perhaps printing them out and pinning them to your wall, serial killer style is all the rage these days.

Avatar Searcher, originally uploaded by Paperghost.

The Gamercard Searcher performs a similarly creepy function, grabbing a list of your most recently played games and your gamerscore. Perhaps the potential spammer really wants to cackle with glee over every aspect of your gaming life before trying to ruin it.

Gamercard Searcher, originally uploaded by Paperghost.

Anyway, let's get to the reason we're all here - spamming. And lots of it.

Assuming the attacker knows your Gamertag, once they hit the "Spam" button, as long as your XBox is online you'll see a friend request appear at the bottom of your TV screen:

Rapidfire Spam Requests, originally uploaded by Paperghost.

Imagine your dismay, then, when it turns out the attacker has gone out for coffee, a hot date and a night on the town leaving the Friend Spammer switched on. It's not long before your mailbox notifier is repeatedly telling you that something is going horribly wrong:

My inbox, it's under fire, originally uploaded by Paperghost.

8 friend requests from the same person in about 30 seconds. Before the first minute is up, your XBox Live mailbox looks like this:

16 messages in under a minute, originally uploaded by Paperghost.

While it's somewhat touching that this person wants to be your friend so badly, it isn't doing your sanity - or your connection - much good. Based on comments we're seeing on numerous Youtube vids & hacking forums related to this program, the effects range from lag to the XBox dashboard slowing to a crawl or crashing altogether (mine didn't crash, for the record although it did become a little jerky when navigating menus). Additionally, some people report not being able to block communications with the spammers due to this happening when they try to do it:



Going into "Block Communications" will stop the messages from the user sending them to you (as long as you don't get the above error message) but one popular tactic seems to be queuing up multiple spam accounts in Virtual Machines then hitting you with a never ending series of spam messages. It seems setting your status to "Away" will also block these unwanted messages wholesale, so you might want to try that.

Hands up who else preferred it when gaming was just about shooting things in the face?

Finding dumps of stolen logins is a common occurrence round this neck of the woods; if it isn't a bunch of XBox logins, it's 5000+ EBay / Paypal accounts. Well, here we have roughly 86 Windows Live ID accounts taken without permission, via a phishing page.

Windows Live IDs can be used to access everything from Hotmail and MSN to XBox Live and Zune. Grab a Live ID, and the amount of ways you can ruin someones day increases in spectacular fashion.

In this case, the target was XBox Live gamers, by way of a fake "Get Microsoft points for free" phish.

What I found particularly interesting here is that the collected data reveals the (borderline desperate) greed on the part of the victims - allow me to explain. Many of the most popular XBox phishes involve the site creator pretending to be an ex Microsoft employee, who just so happens to have a magical way to create "free" Microsoft points (which otherwise cost money, and are used for digital videogame transactions and Zune marketplace purchases).

Here's a typical example of said fakery:


There's normally a dropdown box (bottom right), asking the victim to select a fictional amount of points while they throw away their login details. More often than not this information isn't included in the phish dump, because the phisher couldn't care less how many points the victim is after. This is what you normally end up with:

Click to Enlarge you can see, nothing more than the Live ID, the password and the date.

Here, however, each stolen account in the data dump looks like this:

Logged IP address: xx.xx.xx.x0 - Date logged: Monday 20th 2009 of July 2009 09:17:27 PM

For some unknown reason, the phisher decided to log the points the victim tried to obtain for free. This means we can gather up some data about the level of frenzied button mashing the victim goes through over a period of days.

Days? You bet. More on that later - for now, let's take a quick look at the amount of points the victims were dying to get their hands on. The stolen logins have been in circulation on forums for a while, and based on comments we've seen all of them have either been locked down or leeched but we've notified Microsoft anyway. All of the below were phished between Monday the 20th of July and Tuesday the 28th:

500 MS Points ($6.25 / 4.25 GBP) - 17 requests
1000 MS Points ($12.50 / 8.50 GBP) - 8 requests
2500 MS Points ($31.24 / 21.25 GBP) -  8 requests
5000 MS Points ($62.48 / 42.50 GBP) - 23 requests
10000 MS Points ($124.95 / 85.00 GBP) - 10 requests
20000 MS Points ($249.90 / 170.00 GBP) - 92 requests

In total, there were 167 attempts to get free points, with 9 misfires (which means the victim didn't pick an amount on the dropdown box, resulting in a "-Select-" left in the relevant data field). Roughly 86 individual Live IDs were phished, and the rest of the 167 attempts were repeated requests for points from the same handful of people - sometimes stretching over the full timespan from Monday 20th July to Tuesday the 28th.

One person made 24 requests over the eight days (at one stage making eleven requests for points in three minutes!), with 17 tries for the maximum amount of 20,000 MS points. That works out at 340,000 points not including his smaller requests, which means this person attempted to collect over FOUR THOUSAND DOLLARS worth of digital downloads for nothing.


In fact, he's still trying to get free points on the 28th despite not having actually received anything from the moment he tried way back on the 20th. The phisher who collected these logins deserves nothing but scorn; however, it's increasingly difficult to feel any sympathy whatsoever for some of the people caught up in the above data log.

Is the only real solution to throw both phisher and victim into a bear pit, filled with angry bears who themselves hold an irrational hatred of both bear pits and bear pit trespassers?

Why yes. Yes it is.
A common warning in relation to many phishing attacks is "Look for the .com in the URL, because that's the official site domain - if you see that you know it's the real thing".

All well and good, but sometimes people find a way to place a ".com" in there anyway.

Here's a fake phishing page - note the URL:

Click to Enlarge

Amazingly enough, it's

The problem here is that we're so conditioned in relation to "Look for the .com" that many people will see this domain and think, well, it HAS to be legit - completely disregarding the "" part that comes after it.

Unfortunately, it isn't real in the slightest. How did they get the above domain to look the way it does? Well, a .tp domain is the top level domain for East Timor. You can't actually get them anymore (due to it being replaced by .tl), but you can get various subdomains through resellers. A quick jump over to, and....


....whoops. Of course, the fact that the fake site is promoting a "4th of July giveaway" would hopefully make people stop and think that all is not right here, but that's not an assumption I'd be comfortable in making.

Looking out for ".com" in a domain is indeed useful - but only if you pay attention to what comes after it.
There's an awful lot of people waking up today to find this view greeting them in their Twitter followers list:


Clicking into any of the profiles reveals them to be entirely blank - there are no Twitter messages posted on any of them. There is some text poking out from the profile picture, however:


Click into the profile image and you'll see this...


Pasting text messages promoting IM webcam bots in the profile image (instead of lots of fake Twitter messages posted all over the place) seems to be the latest way to try and avoid the "obvious spammer banhammer".

I don't think it's going to work...
"We're just letting these people know that law enforcement has been watching them....and action will be taken" A Policeman making the biggest mistake of his life

Not so long ago, had a rather bizarre message posted to the frontpage of the forum which read:

This underground form has been monitored by law enforcement - every post, private message and all registration information has been captured. All member IP addresses and have been logged and identification processes are now underway.

The creation and distribution of malware, denial of service attacks and accessing stolen information are serious crimes.

Every movement on this forum has been tracked and where there is information to suggest a person has committed a criminal act, referrals will be forwarded to the relevant authority in each jurisdiction. There have already been a number of arrests as a result of current investigations. This message should serve as a warning not to engage in criminal activity.

At the time, we wondered if this was a typical prank being played by a leet hax0r - it's not uncommon to post up fake "THE FBI ARE WATCHING YOU" messages on forums, either as part of April 1st fun or because the site has been owned. The very thought that actual law enforcement would do something so dunderheaded was dismissed as a bit of a joke - and believe me, I've seen my fair share of law enforcement dunderheads.

However - hat-tip to Graham Cluley - if you go here (a documentary currently doing the rounds on Australian TV) and forward to about 38:00, you'll see something so utterly stupid it defies description.

"Hi gents, how we going", a policeman says as he walks over to a bunch of (clearly excited) boys with their toys, ready to unleash Hell on those evil script kiddies.


"What we're going to do, we're going to make a telephone call then post a message on this forum".

They then do the unthinkable - they actually have an Admin at the other end of a phoneline post THIS:

r00t-y0u_pwned.jpg the frontpage.

The idiocy involved in this action is staggering. Are they naive enough to think the forum users suddenly started to flee in terror? Apparently so:

"The chances of obtaining any more information were blown - but it would create fear and paranoia among the cyber crims"

Oh dear. "Fear and paranoia"? Really? Unless there was a worldwide sting that rumbled into life the moment they posted this - and "referrals will be forwarded to the relevant authority in each jurisdiction" suggests otherwise - then all they achieved is two things:

1) They caused hundreds or thousands of script kiddies wonder why the site admin was rolling out his April fools gag in August, then go back to regularly scheduled programming elsewhere and

2) They caused hundreds or thousands of script kiddies to burn, shred, wipe or otherwise destroy their hard drives along with any and all evidence they ever built up during their hacking escapades.

Take a forum down, sure - but DON'T tell the World you just did it without covering your tracks and don't assume they don't have a ring of fallback forums to go to while the main site is down. Doing something like this means other researchers and law enforcement don't catch their targets at Points B, C and D because they already know they're being watched and have wiped all the evidence.

I've written about plenty of forum takedowns, but I've always been careful to remove site names in the blogs, or edit them out completely, or make it look like I was talking about one place when in reality it was a completely different site. To this day, there are some extremely big forums that have no idea I was involved even though details of the takedown (along with lots of screenshots of people pretending to be leet) were all over the place.

The end result is that the bad guys who want to keep on playing at bad guys continue to be watched while the part timers fall off.

This? This is assisting people to not get into trouble and an amazing lapse of judgment by one particular group of law enforcement officials. Police don't tip off bank robbers that they're about to be caught in the act, and I don't understand why warning people potentially thousands of miles away is acceptable where cybercrime is concerned. It seems the police have already tasted a bit of payback as a result of their momentary lapse in common sense and you can bet more will follow...
I've had a few enquiries come through with regards this blog entry about a strange Facebook threat we found over the weekend, and whether it's the same thing as written about by the awesome Rik Ferguson over here.

To clarify, these are two totally different Facebook attacks so you need to man the battlements on all fronts, or something.

The threat Rik covered involves messages being sent, an actual application and phishing pages that mimic the real thing once you visit the external URL via clicking a hyperlink.

The threat we found has no actual application involved at all - instead, the (mis)use of a Facebook application URL (, with what was likely a phishing page related to "Customer disputes" somehow attached directly underneath the real Facebook app URL.

Be careful out there...

When you're looking into dubious activities online, you don't always catch bad guys in the act - every now and again, you get there a little too late and have to put the pieces together as best you can.

I'd heard rumblings of people using Facebook application pages in weird and not so wonderful ways, but hadn't actually seen it in action. Digging around, I was somewhat surprised to see the following greeting me on a Facebook application page for something called "Customer Dispute":

Click to Enlarge

As you can see, something is very wrong here - there's a valid Facebook URL:

...but instead of a standard Facebook application install screen under the URL as you'd expect, the entire content is taken up by a "Page not found" message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).

A quick Google for this "Customer Dispute" page and from a hacking forum we see...


..."New form of Facebook phishing"? Oh dear.

It seems someone set up an application developer account with Facebook, placed a fake "customer dispute page" onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it.

I don't know about you, but people are always complaining about something on Facebook - throw in a fake "dispute" page onto an actual Facebook URL and you're probably going to see stolen accounts roll in 24/7.

I was dying to know exactly what form the fake Customer Dispute page took, but the person responsible had obviously developed cold feet and pulled it. We notified both Ripway and Facebook, and also asked if they could enlighten us exactly what the content of the fake page was before whoever uploaded it took it down.

Ripway quickly closed the account of the uploader:


The thread on the hacking forum magically vanished, presumably because the creator didn't want evidence lying around the net tying it back to him:


Facebook (to their credit) reacted quickly - the dubious application URL now looks like this, which is a genuine "not found" page from Facebook with links that direct you back to the main site:

Click to Enlarge

.....a lot better than "phony content goes here".

I'm not naive enough to have actually expected either company to get back to me, but it would have been useful in knowing what we're dealing with here. While I can appreciate Facebook aren't going to go yelling about this scam from the rooftops if they can help it, they surely have a responsibility to at least warn their users that people are doing something very dubious with Application pages. Of course, it makes it harder for myself to warn you with specifics with regards the exact content of the page that was removed too.

At this point, all I can say is that

1) It seems very likely (based on both the comments posted to that hacking forum and elsewhere) that it was indeed some kind of phony customer dispute phish plastered onto the application page. The exact form that this page took is currently up for debate.

2) If one person has done this, it's entirely possible others have - with that in mind, if you see an

URL, but NO application - then be wary, especially if it's asking you to enter login details (Facebook credentials would, of course, be the obvious target). Otherwise you might end up with a clear case of Two Point Doh...
Just a tip, we're seeing - predictably - a lot of fake "Windows 7 serial generators" doing the rounds at the moment. They are, of course, fake frontends that are bolted on to an infection file (which can be anything the attacker feels like) and then sent out into the great beyond (aka Youtube).

If you see something that looks a little like this:

windz7gen.jpg can be sure there will be a positively day ruining experience bolted onto the fake program.

Avoid them all.
Mikko Hypponen of F-Secure noticed a hacking forum has a rather bizarre frontpage at the moment. Generally, when you see a hacking site with a message warning of "law enforcement monitoring" going on it means one of two things:

1) The site has been hacked
2) It's a practical joke on the part of the site owners. On April 1st, for example, many hacking sites take down the forum and throw up a large splash of the FBI emblem claiming everyone is "under surveillance", which is remarkably similar to the above. However, given that we're in the middle of August it's a little strange which raises the possibility of the site having been hacked.

What I find particularly interesting is that a number of well known (and not so well known) forums of a similar nature are currently offline - they're either not resolving or they look like this:

Click to Enlarge

"already has more than 'max_user_connections' active connections" - is the example above being hit with a DDoS attack? Possibly - it was mentioned as being a target when another well known site was defaced and used to redirect to shock porn a couple of weeks ago.

This is nothing new, of course - if sites don't DDoS each other out of existence, an admin goes rogue and dumps the database onto file sharing sites, or members get threats from companies & law enforcement, or owners rip off the users and it all ends up a little bit like this:

Click to Enlarge

Let's all raise a glass to our fallen forum brethren - or not, as is more likely to be the case...
You may have heard about a recent hack where a user of Flickr found all his photographs had been removed when a (probable) old flame broke into his account and deleted the whole thing. This started a discussion in regards to safe backups, and whether or not the user was playing with fire for expecting a third party image hosting service to keep backups of his images or not.

Many people upload images to sites such as Flickr, but think their data is "safe" purely because they also keep copies of their images on their PC. Well, as you're about to see, unless you have some form of dedicated backup system in place or an external hard drive, it can go horribly wrong very quickly. Take my advice, and DON'T wait for something to happen to your computer then facepalm and cry into a bucket for six hours. Go buy some storage, or at least use one of the many free online storage services and have some kind of contingency plan for your photographs. Now that we've got that out of the way...


Above is a program that claims to crank out "Image Worms". I don't recall worms looking quite so vicious as the one in the picture, but nevermind. You hit "Select file to worm", pick an image file on your computer to plaster all over the victims PC and click the "Build worm" button.

At this point, a file appears in the program directory:


At this point, it's merely a case of renaming the "Image worm server" file, making it look like an image file then sending it to a victim.

You might be wondering where the "worm" part comes into play, given the overall wormy theme going on here. The truth is, in testing we simply could not get the file to do any spreading of its own accord. If there is supposed to be a worm element to this, something has gone horribly wrong with the coding. It *might* still kick into life, perhaps, when the planets align and mystical portents of doom signify the end of the World. Until then, "Look at my awesome picture lol" is how this thing is rolling.

However, that doesn't mean horrible things aren't about to happen to your computer. Let's take a look, and imagine someone sends you a "picture". Open that file (which of course is actually an executable) and every jpeg on your computer will switch from this...

Click to Enlarge

to this:

Click to Enlarge

As you may have noticed, all of your treasured memories now say "Hacked" in the middle of a black background.

This is not a good thing. You did back these images up somewhere other than your PC, didn't you?

You didn't? Oh.

We detect this as PicSwitch.
Here's a rather basic program that attempts to artificially raise the viewcount on Youtube videos.


I say "basic", because it's not actually very good - Youtube recognises and quickly stops counting the fake clicks from the program after a short time.

Nice try, though...
Here's a rather worrying exploit on the XBox Live service that opens users up to profanity and (more seriously) the possibility of being socially engineered by people who appear to be official Microsoft representatives and / or people working for videogame companies.

What are they doing?

When you have an XBox Live account, you have a Gamertag - in other words, your username. Microsoft have things like profanity filters in place to ensure your username isn't full of swearwords, and it costs money to change your gamertag so in general it's unlikely someone is going to keep changing their gamertag simply to hassle someone. As a result, people who do hassle others on XBox Live are fairly easy to keep track of and hit with the banhammer when needed.

However - in the last few days, it seems an exploit (previously kept secret) has been leaked on a number of forums, and now it's rapidly spreading across the interwebs (or the gaming portion of it, anyway). As with all of these XBox related problems, it stems from being able to connect the console to the PC, edit data then place it back onto the console.

Without going into too much detail, you use a combination of this:

....and this:


....and then thoroughly hexing your data. Once this is done, your gamertag (when in a game) will temporarily look like whatever you placed into the edited data. Those of a nervous disposition sensitive to copious amounts of swearing might want to look away now:

Avert your eyes, children, originally uploaded by Paperghost.

Amazingly, you're not supposed to be able to do that.

However, this exploit not only allows you to call yourself Sweary Mc Swearword, it also allows you to leave the name space entirely blank, which results in much confusion and a decrease in the possibility of you being reported for bad behaviour. As you can see, these fake names filter through to services associated with XBox Live, so Bungie (creators of the Halo franchise) quickly end up with swears and / or blank names on their statistics pages. Here's a blank name:

The Invisible Man, originally uploaded by Paperghost.

...and here's some extremely offensive swear words, along with multiple users claiming to be Shishka, a well known Bungie staff member.

Swears and Shiska, originally uploaded by Paperghost.

Of course, this raises an important issue - if people can pretend to be well known videogame staff, they can also pretend to be Microsoft employees and then blow the doors wide open with regards phishing for information and / or login details. We'd already seen a few people talking about pretending to be "Microsoft admins", when someone emailed the following screenshot to us:

Hi, I work for Microsoft. No seriously., originally uploaded by Paperghost.

I've no idea who this person is, but as you can see, they claim to be "Microsoft!" Combine this with people running around in videogames asking for login credentials, and you have a bad situation.



We've passed on what we have to Microsoft and hopefully they'll address this issue quickly. For now, be wary of anybody claiming to be from videogame companies and Microsoft. If in doubt, headshot the sucker..

My foot, your head., originally uploaded by Paperghost.

The Matrix Online, an ill-fated MMORPG that finally had the plug pulled this week has apparently prompted a mini-rash of scammery on Youtube. This is what it looked like yesterday:

Enter the Matrix (about a million times over), originally uploaded by Paperghost.

Yes, with the death of the game nostalgic Matrix fever is suddenly alive and well! All of these videos show up when searching for "Matrix Online", unsurprisingly. I particularly love the fake "removal" messages contained in some of the videos:

Anyone familiar with Youtube knows that if a video is removed, you get a "video has been deleted" message - they certainly don't let the uploader put a message in its place letting everybody know what's happened. Regardless, they state the Matrix Revolutions has been deleted due to a copyright claim by the hilariously generic "LLC Media" company.

Yes, of course.

Anyway, luckily we can access the film from the link in the description. To be more accurate, you can access a spamblog from the link (similar to the sites that peddle Zango in return for ripped movies), and clicking the movie link from the spamblog will present you with this:

Click to Enlarge

"You will be automatically redirected to a working video page after toolbar installation".

All lies, obviously (and the above is nothing more than a fake Youtube Gif with a spinning wheel in the middle), but let's see what happens anyway. If you're allergic to seeing installer pages that induce headaches you might want to look away now:

Photoshop frenzy, originally uploaded by Paperghost.

...yikes. Note the pre-ticked checkbox (if you can) that changes your homepage, along with the unfortunately placed "Never dies" under the installer button. A little jiggery pokery later, and you've installed the Firefox .xpi. Restart the browser, and....

EYES. GOGGLES. NOTHING. originally uploaded by Paperghost.

....your web browser is now officially hideous. In addition, there's no spoon, no Neo and no "free" movie.

There's a shocker.

Some of the videos on Youtube have been removed already, but at time of writing there's still a few of them kicking around. You might think people know these "watch a movie online" websites that offer up toolbars, installers and surveys are nothing but a scam but there's a good chunk of people out there who will fall for it, every time.

Don't be one of them...

About this Archive

This page is a archive of recent entries written by Christopher Boyd in August 2009.

Christopher Boyd: July 2009 is the previous archive.

Christopher Boyd: September 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.