Recently in Instant Messenging Category

This application is made by the same individual who created the Win32.Spin "application". However, this is quite a bit more malicious than opening up a bunch of browser windows. The hacker chooses a PC that they know will be used by lots of different people - web cafe, library, school, wherever. They install their fake application (designed to look like MSN Messenger Live), let the victims run it, then steal their login details.

How do they do it? Well, let's take a look. First of all, the icon for the executable doesn't look too convincing, does it:

fmsn0.gif

If you check out the properties for the application, you'll see something strange:

fmsn1.gif

"Project1-Logs to Text Doc"? That doesn't sound like something a Microsoft application says when you right click it. The plot thickens! Finally, when you run the application, you can't move it around your desktop (it stays stuck to the middle of your screen), or click on anything bar the checkboxes and the "login" button (although obviously, it allows you to type in your username and password).

http://blog.spywareguide.com/upload/2008/03/fmsn2-thumb.gif
Click to Enlarge

After you hit the sign in button, you'll see this error message:

http://blog.spywareguide.com/upload/2008/03/fmsn3-thumb.gif
Click to Enlarge

"Windows Live Messenger can not sign you in right now, please try again later". All lies, of course. What happens now? Well, let's take a look at the code:

fmsn4.gif

Sitting either side of the fake error message, we can see two things. One, the creator is called "David" - always useful to know. Two - the login details should be deposited into a .txt file in the C Directory.

fmsn25.gif

....and there it is! Shall we open it up and take a look?

fmsn45.gif

Success! The password has been dumped into a location where the hacker can easily retrieve it at their leisure. Ah, I hear some of you cry - where can I download this evil program?

Well, you can't. I'm sure it'll be back before long, though...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

We've had a few reports of the (now familiar) style of site that asks you to enter your MSN Messenger details in return for being informed who "has you blocked". The site in question is called

msnliststatus.com

Not only is it a bad idea to simply fill in ANY login details on a random website you happen to come across, I don't think I've ever seen a single website offering this "service" actually carry it out successfully.

On the bright side, the site does offer you some terms of service to look at before you sign up:

termsofuse1.gif

Sadly, it all goes horribly wrong when you realise half the text is hidden behind the image on the right hand side:

http://blog.spywareguide.com/upload/2008/02/termsofuse2-thumb.gif
Click to Enlarge

The site does this in both IE and FireFox. Can't say I've ever seen that before. Note that the really important part (that says your messenger contacts will be sent adverts via MSN) just happens to be hidden by the graphic. Here's how it reads with the text obscured:

By using this service you optin receiving email advertising from blockdelete.com. will receive an advertising message from you when you use this service.

Without the hidden first part, an end-user could potentially think it's talking about the opt-in Emails you receive when using the service. Now let's add the missing section back in:

By using this service you optin receiving email advertising from blockdelete.com. Your messenger contacts will receive an advertising message from you when you use this service.

A bit of a difference!

There seems to be a new MSN Virus doing the rounds, in the (now common) guise of a .zip file which (of course) harbours a malicious executable.

In this case, the .zip file has a handily recognisable name:

tanya2.jpg

Check out what happens to your PC if you run the file:

http://blog.spywareguide.com/upload/2007/09/tanya6-thumb.jpg
Click to Enlarge

The machine is pretty much buried under a 100% CPU load - if you ever wanted to experience Bullet Time, here it is minus the backflips and machine guns. Here's an example of the kind of messages you can expect to be sent from an infected user:

http://blog.spywareguide.com/upload/2007/09/tanya8-thumb.jpg
Click to Enlarge

With regards spread, it seems to be fairly low at the moment. The handful of infections we've seen so far include a number of forum-goers in Singapore and Japan, and a handful of people asking for help in Italian. The messages sent via the infection file seem to be fairly limited, and include:

"Who is this girl?"

"Do you remember this girl? I can't believe she took this pic..do you know her?"

"Who is this girl? She said she likes you :D"


We detect this (unsurprisingly enough) as TanyaBabe.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Deepak Setty, Senior Threat Researcher
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:

http://blog.spywareguide.com/upload/2007/08/singworm4-thumb.jpg
Click to Enlarge

...and here's a screenshot from a Chinese forum:

http://blog.spywareguide.com/upload/2007/08/singworm5-thumb.jpg
Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -

singworm8.jpg

There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.

winsysexefile.GIF

Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":

http://blog.spywareguide.com/upload/2007/08/singworm1-thumb.jpg
Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:

http://blog.spywareguide.com/upload/2007/08/singworm2-thumb.jpg
Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":

http://blog.spywareguide.com/upload/2007/08/singworm6-thumb.jpg
Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....

http://blog.spywareguide.com/upload/2007/08/singworm7-thumb.jpg
Click to Enlarge

At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings


-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks?security incidents that propagate via only one vector, such as AOL, Yahoo or IRC?now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.


Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

I have just returned from Affiliate Summit West 2007 where I went scouting the current state of advertising, ethics, and what the future holds for people. I will have more on that later I will say that giant waves seem to be rippling under the surface, and *maybe* in the direction of cleaning up some of the problems...no miracles are in sight, but I saw some positive signs for a change.

With that jaunt over I have to dig in to grab a day or two of rest and then prepare for the RSA show with colleague Chris Boyd...Want to meet him? Now you can! He might do an autograph, conduct a symphony, or show you cool bow staff fighting skills as a bonus. He really CAN do that kind of stuff.

I wanted to take a moment here at the labs to cordially invite you to meet up with us at the RSA conference in San Francisco Feb 5-9. Yes- spend some facetime with FaceTime Communications, the leading provider of solutions for securing and managing instant messaging, peer-to-peer file sharing and Web-based greynets.

Where will you all be?

We will have folks at Booth #2537. Paperghost and I will be there and perhaps other places too...skulking about, being a general menace, and the usual things we do at events- look around, talk to people, and try to snag food.

What is RSA?
Recognized as the largest IT security conference and expo, RSA Conference 2007 is a must-attend event. With a variety of conference tracks to select from, you'll learn strategies to address today's information security problems, and gain insight into the issues of tomorrow. FaceTime is presenting not one, but two presentations for your enjoyment.

Presentation One

February 7th, 9:10 AM - 10:20 AM
Session Code: 2069
Botnet Live: Tracing, Chasing and Building the Case to Bust the Bad Guys
Speakers Chris Boyd and Wayne Porter, FaceTime Security Labs

jan07_rsa_poster.gif

This presentation is by Wayne Porter, yours truly, and led by the kung-fu style malware fighter Chris Boyd a.k.a. PaperGhost- we work in the labs doing all kinds of things you normally would not think about. For a little background on some of this I strongly suggest you check out the podcasts we did a few months ago- because they set the stage for just how incredible the cascade of events can become when you follow the story deep, deep into the abyss. We will also talk a bit about social media, the importance of being out in the field, economics and actually talking to people. Chris, who is a masterful story teller will give you a pretty amazing tour of the underbelly.

The Podcasts

Teaser Cast

Spyware Warriors and the Digital UnderGround Podcast: Part 1 and Part 2.
You can even download them into mp3 format and listen on the go.

Next Up....Our CEO in this Peer2Peer session....

February 7th, 12:30 PM - 1:20 PM
Session Code: P2P-204B
Skype and IM at the Office: User's Birthright or Security's Death Sentence?
Moderated by FaceTime President and CEO, Kailash Ambwani

jan07_rsa_poster_kailash.gif

Kailash, our CEO, while perhaps not as dashing as we research types in the drawn form you see before you, he knows his stuff when it comes to business communications and when you get a title with "Birthright and Death Sentence" in one line...well how can you not be intrigued? Given VoIP and IMs rapid adoption this is a must attend panel- especially if you want to understand some of the legal ramifications and understand the nature of greynets- when good can be bad, and bad can sometimes be good. It is all a matter of perspective and policy.

Want to meet other FaceTimers? Check in at booth #2537 to see demos of our products and solutions, including the recently announced FaceTime Internet Security Edition which includes our award-winning RTGuardian appliance- you can find more about it on the FaceTime Security Products Site.

This is a bit of a pitch, so you are warned, but this is what we do- We combine core gateway security capabilities such as Web filtering and anti-spyware with security for today's greynet applications on a single platform with common policy and management. The FaceTime Internet Security Edition reduces complexity and increases efficiency of the enterprise security infrastructure to reduce overall total cost of ownership. We will also have demonstrations of our flagship instant messaging security and compliance solution, FaceTime Enterprise Edition, will also be available. Why the big deal? FaceTime Enterprise Edition helps organizations meet the new eDiscovery regulations (here for whitepaper) for electronic communications that went into effect December 1, 2006.

So please be our guest we would love to meet you. You can even attend the RSA Conference 2007 Expo compliments of FaceTime. Just register at http://www.rsaconference.com/2007/us/ and use code EXH7FAC for your FREE Expo Pass - a $100 value!*

We hope to see you there!

* You must pre-register before February 2, 2007 for your FREE Expo Pass. Make a note of it!

Our yearly review of Instant Messaging and Peer to Peer threats has hit the streets, and the results can be seen here. A combination of data from recent analysis and the October 2006 Greynets Survey, the overall picture is that of a security landscape where the number of threats has reduced since 2005, but the danger has actually increased. There is also a focus on what these problems mean for businesses, and the fact that these issues affect companies both small and large - no one is immune.

"Despite myriad security technologies employed by enterprise IT managers to block malicious attacks, the user is often the biggest vulnerability, especially on the real-time, socially-networked Web" said Frank Cabri, vice president of marketing for FaceTime Communications. "In 2007, the biggest security risk for organizations is likely to be their own users, as employees install consumer-oriented greynet applications onto their workplace computer faster than the IT team can keep up with the corresponding controls."

...I'm sure if you work in a large environment where everyone is in front of a PC you can relate to the above scenario - how many people do you personally know involved in covert installs of their favourite IM client, game or other program on a work PC? You might want to consider some covert moves yourself next time you see them and warn them of the dangers they're potentially bringing into the office!

In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)

"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."

And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.

"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."

"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."

Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.

Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]

This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.

E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.

So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):

[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.

Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...

Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.

To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.

Other important points:

* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.

* Depending on the software, users who are online may have the ability to respond to messages.

* Users may also block other users with whom they do not want to exchange messages.

* Users may only communicate with others using the same or a compatible client software.

How does IM differ from email?

Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.

Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.

Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...

Does IM content qualify as a Federal Record?

The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.

Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...

In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.

Mark Foley Scandal Rages On Over Instant Messages (IM)

Excepts and citations from the Wikipedia on the Foley Scandal. To learn more about what this means in terms of government and business and how IM documents should be treated as any other watch this Fox news segment from Kailash Ambwani, CEO of Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and not logging Instant Messenging can put a big business at a big risk.


Foley's e-mails to the former Congressional page in Louisiana, who was 16 at the time, said in part:

"I am in North Carolina...and it was 100 in New Orleans...wow that's really hot...well do you miss DC...it's raining here but 68 degrees so who can argue...did you have fun at your conference...what do you want for your birthday coming up....what stuff do you like to do,"

and

"I just emailed will...hes such a nice guy...acts much older than his age...and hes in really great shape...i am just finished riding my bike on a 25 mile journey..."
and

"how are you weathering the hurricane....are you safe?send me an email pic of you as well...."

The instant messages from 2003 that ABC obtained after its initial story were much more explicit than the e-mails from 2005 sent to the Louisiana page, and reportedly with a former page now employed in Oklahoma. According to several former congressional pages, the congressman used the screen name Maf54 on these messages. One exchange included:[

Maf54: do you really do it face down
Teen: ya
Maf54: kneeling
Teen: well i dont use my hand...i use the bed itself
Maf54: where do you unload it
Teen: towel
Maf54: really
Maf54: completely naked?
Teen: well ya
Maf54: very nice
Teen: lol
Maf54: cute butt bouncing in the air

In another exchange, Foley proposed to meet with a former page:

Maf54: I want to see you
Teen: Like I said not til feb?then we will go to dinner
Maf54: and then what happens
Teen: we eat...we drink...who knows...hang out...late into the night
Maf54: and
Teen: I dunno
Maf54: dunno what
Teen: hmmm I have the feeling that you are fishing here...
im not sure what I would be comfortable with...well see

An exchange that took place in April 2003 apparently reveals Foley engaging in cybersex with an eighteen-year-old former page as the House voted on an emergency supplemental appropriations bill to fund the Iraq War; the released portion does not contain the purported cybersex exchange:

Maf54: ok..i better go vote..did you know you would have this effect on me
Teen: lol I guessed
Teen: ya go vote?I don't want to keep you from doing our job
Maf54: can I have a good kiss goodnight
Teen: :-*
Teen:

In another exchange, Foley appeared to invite the same page to his apartment with a friend to consume alcoholic beverages:

Maf54: we will be adjourned ny then
Teen: oh good
Maf54: by
Maf54: then we can have a few drinks
Maf54: lol
Teen: yes yes ;-)
Maf54: your not old enough to drink
Teen: shhh?
Maf54: ok
Teen: that's not what my ID says
Teen: lol
Maf54: ok
Teen: I probably shouldn't be telling you that huh
Maf54: we may need to drink at my house so we don't get busted

- For another transcript visit ABC News (warning explicit language)

- Kailash Ambwani Video on Foley Incident and Instant Messenger auditing and control.

Pages

About this Archive

This page is a archive of recent entries in the Instant Messenging category.

Instant Messaging is the previous category.

Miscellaneous is the next category.

Find recent content on the main index or look in the archives to find all content.