Recently in Instant Messaging Category

The Futility Of EULAs

| | Comments (1)
Here we have a typical IM toolbar (SweetIM), which has a rather curious EULA.

Sweet? Nope..., originally uploaded by Paperghost

Yes, they really want you to download this program. What particularly caught my eye was the age requirements on the EULA:

Please note: (1) you MUST be 13 years or older to install or to use the SweetIM Software. If you are not yet 13, do not download SweetIM Software

Thirteen? I must admit, I don't see many applications with an age requirement as low as that.

Okay, fine. You want to allow 13 year old kids to download this thing, fair enough; they're not stupid. However, if you're going to aim your app at kids that young, you probably shouldn't include a EULA that takes about six weeks to read.

Seriously, check it out.

Ten points to anybody who can explain how a reasonably intelligent adult could plough through that lot, let alone a kid. The default narrow web browser it opens in (see the above screenshot) makes it appear to be even longer than it actually is. I dusted off our EULA Analyzer to see what it thought of it all; the results are pretty much as you expected. That is to say, completely ludicrous:

swetim2.jpg

According to the above, an application that they want thirteen year olds to use has a EULA that's BEYOND twelfth grade reading level. For those of you not in the States, a twelfth grader is usually seventeen or eighteen.

Doh.

170 sentences, 5,000+ words, 34 odd words per sentence......enjoy, kids!
"Block Checkers" are those wonderful scam sites that claim to be able to show you who has you down as "blocked" on your favourite IM application. They've been around for a while, but always take the form of a website that you enter your details on. Once you've entered your login, you can expect to see your IM account sending lots of spam for viagra (along with adverts for the block checker site you used) to all of your contacts.

It's a rather spectacular way to lose all your friends on Instant Messaging (and quickly answers the question of "Who is blocking you". Answer: everybody).

Well, some wily individual has taken inspiration from the static webpages and come up with a Block Checker in the form of an executable file. However, this one has somewhat more sinister intentions than spamming links to a useless block check website with the occasional advert for a genuine rolex watch.

Shall we take a look?

mobbkck1.jpg

"MSN Block Checker", from Microsoft Corp. A quick check - aha - will reveal a different story:

mobbkck2.jpg

"MsnFake"? Oh dear. Here's what the program looks like when fired up:

mobbkck3.png

Do you want to see the obligatory fake error message that appears when you enter your Windows LIVE ID and hit "Sign in"? Of course you do.

mobbkck4.png

Faintly humorous that they left "MsnFake" in the popup box. Examining the code of the program rather gives the game away:

mobbkck5.png

Yes, your LIVE ID login will be mailed back to base. Given that your Windows LIVE ID could be associated with your IM account, your EMail, XBox Live and a bunch of other stuff this could be a Very Bad Thing(TM).

One bright spot here is that the program is being distributed in pieces - that is, as a collection of files and images that need to be compiled once you've entered the EMail address you want the stolen logins sent to. Here's what the typical wannabe user will see immediately after downloading it:

mobbkck6.png
Click to Enlarge

Hopefully this will result in lots of people creating absolutely unusable infection files, but it pays to be on your guard. NEVER, EVER run a "Block Checker" program because generally speaking a scam based on a scam is not a good thing to get tangled up in.

We detect this file as Mob.Blockcheck.
nolongeravphe1.gif

Yesterday, I wrote about an IM password stealer available to download from sites such as ZDNET / cnet.download.com. Well, it now appears to have been flushed from all related websites.

Thanks to the Download team for their quick response - they've shown a commitment to removing rogue elements from their download sections in the past, and incidents such as this seem to be few and far between.
Generally, download sites do a good job of keeping potentially undesirable programs off their network. You might see the oddly titled "family keylogger" program and wonder about the ethics of such a utility, but leaving those rather dubious grey areas aside, mostly things take care of themselves.

However, while browsing the cnet.download.com site today, I happened to find something rather peculiar in their "Network Monitoring Tools". Namely, this:

apheve101.jpg
Click to Enlarge

As soon as I saw the creator description of the program, I knew something wasn't quite right:

"Apheve is a great piece of software that has the ability to disguise itself as multiple IM programs including MSN, Skype, and BT Yahoo.This is perfect if a visitor is coming round who wants to access their IM account."


Wait, it "disguises" itself as multiple IM programs? And its name sounds like a bizarre slang version of the word "thieve" (A Pheve)?

Oh dear.

As you might expect, the program is available to download on numerous sites, including CNet Asia and ZDNet UK. Up for grabs since May 2008, the number of downloads is somewhat alarming:

18,214 download.cnet.com


9186 CNET Asia

455 ZDNET.co.uk

Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people (possibly) running round trying to steal your IM logins. (Check out the comments for more thoughts on what all those people may....or may not....be using the program for).

Did I say steal? Yes, I did. Presenting.... "Apheve":


aphevez0.PNG

Quite simply, you select the IM client of your choice - MSN Messenger, Yahoo IM or Skype - and hit the "Start!" button. Then you retreat to a safe distance and let your victim use the PC. As we've seen before, these kinds of programs work great for scammers in net cafes, libraries and schools / universities.

The victim will see one of these:

aphevemsn.PNG
Click to Enlarge

apheveyahoo.PNG
Click to Enlarge

Of course, both of those IM boxes are entirely fake. Should you enter your login details, you'll be shown an error message and wander away from the computer feeling vaguely annoyed. Meanwhile, the attacker jumps onto the same computer and clicks on the apparently harmless looking fake icon in the Taskbar - in this case, a picture of a DVD / CD:

fakeaphevetooltip.PNG

....and is presented with your login information, courtesy of a nifty popup box:

apheveskype2.PNG
Click to Enlarge

Is it just me, or does that go a little beyond the scope of "Monitoring Software"?

The program has absolutely no reason to exist other than harvesting login credentials.

Even the choice of targets seems designed to cause as much trouble as possible - Skype accounts will probably have unused call credit stored against them, Windows Live accounts may well be linked to EMail as well as IM, potentially giving access to yet more personal information, logins etc.

Any claim by the creator that this is intended for "network security" is fairly blown out of the water when we check out his Youtube channel, only to find...

apheve4.jpg
Click to Enlarge

...he's promoting it with the title "How to hack Msn, Skype or Yahoo with Apheve 1.1", with "Apheve pro - The ultimate hacking tool" in the description.


The only good thing here is that due to the program being around for a while, the fake versions of Skype, Windows Live Messenger etc look rather outdated and not very much like the real, current versions. The DVD / CD icon in the corner could also be a giveaway, though of course you can change that if you really want to.

We've EMailed the Downloads team, and will post again when we hear back from them.


Given the rather single-minded purpose of this application, I'm a little surprised it managed to squeeze through the cracks. The above download sites may well be "Tested Spyware Free", but they're currently not "Tested Horrible IM Stealing Piece of Junk Free".

Hopefully that might change shortly...

Stop: Spammer Time

| | Comments (0)
Awful title gag aside, it seems someone is having a little fun in MSN Messenger land.

They've gone out and phished a number of accounts, then added all the people on their contact lists into one single file available to download.

msnhrsz1.jpg

Why? So you can add all 976 of them to your contact list then start spamming / harassing them.

msnhrsz2.jpg

Of course, the "MSN harassment list" has one fatal flaw - you don't HAVE to accept that random friend request that just popped up on your desktop.

So don't :)
It's yet another "login here to send all your contacts endless amounts of spam" website. This one is called

meetyourims.com

...and looks like all the other ones.

meeturim1.jpg
Click to Enlarge

Created on the 3rd of April 2009, there's also a curious addition to their (always changing) Terms & Conditions:

"You also understand that by temporarily accessing your msn account, CSS Management Inc. is NOT agreeing to MSN's terms of use and therefore not bound by them."


Comical...
Yesterday we came across something we haven't seen before - a fake Instant Messaging program used to share stolen data to the masses via the wonders of FTP. Let's begin by introducing iMess:

imess1.jpg

As you can see, there's two parts to this - the iMess application that steals your MSN login, and "HQ" - the file that lets you grab said stolen data.

This is what the iMess program loading screen looks like when fired up, rather humorously using what appear to be ripped versions of Smilies from the ASK range of products, along with a list of "features" such as "Anti Block System" and "Hundreds of skins":

imess3.jpg
Click to Enlarge

It's all very slick, and designed to set the end-user at rest. No scam looks that professional, surely?

Well, actually...

imess4.jpg

....whoops, it does. Note that it's called iMess2 - no idea what happened to the first one, but perhaps that's another confidence trick. At any rate, if you enter your login details, you'll see that staple of rogue applications - the fake error message:

imess10.jpg

While this is taking place, it's probably a good time to crack open the code and see what's taking place:

imess2.jpg

Did your MSN login details just get sent to an FTP server in the Netherlands? I think they did.

Want to see where they end up? Sure you do! Time to fire up the "HQ" program - which is used as nothing less than a sort of communal sharing zone for stolen logins. Put simply, if you run HQ, you can see ALL of the stolen logins obtained around the World and sent to the FTP server.

"HQ" stands (rather appropriately enough) for "Headquarters". First you'll see the below - a splash page of sorts, telling you the last time the stolen data was "cleaned" (ie tidied up), with two buttons - "Contact" and "Accounts".

imess5.jpg
Click to Enlarge

It's the accounts we're interested in...

imess8.jpg

As you can see above, there are a number of buttons across the top. Simply hit "Connect" to connect to the FTP server, then hit "Get list" and all of the accounts stolen via this program are displayed in the bottom panel. If you want the password for any of the accounts, left click one then press "Show" and...

imess9.jpg

The login details are yours for the taking. From there, you can use the stolen logins to send spam or infection links via those accounts, dip into EMails that use the same logins (harvesting any additional data / logins stored inside) ....the choice is yours.

It's a common theme of phishing scams (for example) that a ringleader effectively orders the troops to go out and phish under the illusion they get something at the end of it, when in reality the person at the top of the chain keeps all the data.

Here, we have a bizarre example of using rather slick faked IM technology, sharing stolen data with the masses "for the greater good" (in the loosest sense of the phrase of course - there's nothing particularly "good" about this).

Hang onto your MSN Login details and avoid this program.
Someone has created a couple of fake applications currently in the wild, both made to look like legitimate chat programs. They're pretty convincing:

fkaim1.jpg

fkaim3.jpg

We've seen these kinds of scams before, and as with those programs, when the victim enters their details they're stored locally on the PC (in this case, storing them in Settings.ini) for the attacker to collect.

Though this means physical access to the PC is required (think net cafe scammers hawking around unsecured PCs), for around 5$ you can buy an upgraded version which sends the stolen data to an FTP server.

Okay, I hear you cry - how do we spot these particular nasties?

Well, it seems vanity has got the better of the creator. They just couldn't resist putting in a "hidden" about page that tells you who made them - presumably for bragging rights on forums.

This works great for us, especially when I do so enjoy randomly clicking around on the surface of rogue programs just in case something amazing pops up.

As luck would have it...

fkaim2.jpg


fkaim4.jpg


Thanks, vain hacker type person. Obviously, this will only work where you're presented with a PC running either of the above, but it's better than nothing...
Here we have the latest in a long line of scam sites wanting your MSN Login details so they can send URLs to everyone on your contact list. Here's a screenshot of one such message:

cpi1.jpg

Click the link, and you're taken to

crazy-party.info

cpi2.jpg
Click to Enlarge

Interestingly, the previous set of websites (all six billion of them) were supposedly run by a company in Panama, but as you can see here, the site was actually controlled by a group in China with ties to all sorts of dubious practices. This time round, the company isn't named as "TST Management", but "TP Limited". The information on the Whois data shows the site was registered fairly recently (7th of November 2008), and is registered to "Topyaa".

I'm sure we haven't seen the last of these...

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, Simpsons fans galore with net access immediately added "Chunkylover53" to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

What's interesting here is that as far as I'm aware (and please, correct me if I'm wrong), the AIM screen-name"Chunkylover53" is not necessarily connected to the "official" chunkylover53@aol.com email address - anyone could have set up that AIM screen-name, using whatever EMail address they feel like. However, people will naturally add "Chunkylover53" to their AIM accounts thinking it will be the "real" Homer. This is where the problems set in

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

kimya0.gif

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file called "Kimya.exe", about 150kb in size, and it looks like this:

kimya1.jpg


Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

kimya2.jpg


....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

kimya3.jpg


kimya4.jpg

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

rootkitkim.jpg


Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

kimyabots.gif


....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

kimya66.gif


...and it currently advertises a link for a dating website:

chunkyaway.jpg


We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control, or indeed, related to what you're looking for in the first place.

We detect this infection as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Pages

About this Archive

This page is a archive of recent entries in the Instant Messaging category.

In The Press is the previous category.

Instant Messenging is the next category.

Find recent content on the main index or look in the archives to find all content.