Instant Messenging: August 2006 Archives

Our team has discovered a rather nasty little program currently in circulation relying on trickery and the desire to obtain "secret" information to get itself installed. Once onboard the machine, it has the potential to steal banking information, drop you into a Botnet and generally give you a very bad day as your computer becomes a drone controlled by an unknown botmaster.

The vector of attack appears to be focused in the chat realm - across AIM Chat, IRC Chat and regular web-based chat. The link usually looks like this:


Hi, have you ever wanted to sign on your buddies AOL Instant Messenger screen name, but never had the password? Well there has been a new break in the AIM servers that is allowing this vital information to be revealed. check the pro for more info!

Clicking the link takes you to the below website:

http://blog.spywareguide.com/upload/2006/08/aimsnamehack1-thumb.jpg
Click to Enlarge

The download link to the infection file has now changed (though the application "homepage" is still the same), but a quick check of where the file was being called from would hopefully have set some alarm bells ringing:

http://blog.spywareguide.com/upload/2006/08/aimsnamehack2-thumb.jpg
Click to Enlarge

As you can see, the attackers are hosting numerous dubious sounding files, including a jpeg.exe and "Windows.exe" - otherwise known as the Feldor Trojan.

After installing the program, it reboots your computer and, as you can imagine, deposits a number of files you would rather not want on your system. However, the average end-user probably wouldn't think to check what's been placed in their System32 Folder. They'll enter the desired AIM Contact Details, run the tool and...

http://blog.spywareguide.com/upload/2006/08/aimsnamehack3-thumb.jpg
Click to Enlarge

...they'll be told that AIM has "fixed the vulnerability" in their software. Sounds convenient. Sadly, uninformed users will probably shrug and forget about the program altogether. This would be a mistake. Let's take a quick jump over to the System32 Folder...

aimsnamehack4.jpg

You can see Windowsxp.exe - a banking Trojan, and the previously mentioned Windows.exe process. In case you're wondering, the AIM Screen Name Hacker's uninstaller does actually work, but (thoughtfully) leaves the infection files behind.

As a parting thought, it's worth noting that depending on which version you happen to download and install, you may well find your PC turned into a Botnet drone. As always with a program like this, it's worth remembering...if it looks too good to be true, it probably is.

Remember chat programs can harbor threats just as dangerous or more so than what you see on the Web. Keep your guard up and don't click on links in chat programs or chat rooms or run programs of a dubious nature- especially if you don't know the buddy you are chatting with. Even if you do know them that doesn't make it 100% safe either, as many programs rely on the "circle of trust" dynamic to do their dirty work and spread their mayhem.

Key Terms To Learn: Botnet- Drone- Chat Rooms- Trojan

Research and Blog Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Secondary Research: Wayne Porter, Senior Director Greynets Research

Pages

About this Archive

This page is a archive of entries in the Instant Messenging category from August 2006.

Instant Messenging: June 2006 is the previous archive.

Instant Messenging: September 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.