Instant Messenging: September 2006 Archives

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

http://blog.spywareguide.com/upload/2006/09/fantvcard4-thumb.jpg
Click to Enlarge

Click the link, and you're taken to the below website:


http://blog.spywareguide.com/upload/2006/09/fantvcard1-thumb.jpg

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

http://blog.spywareguide.com/upload/2006/09/fantvcard3-thumb.jpg
Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

Proactive research on security threats is the key to catching hidden threats before they can collect confidential data, deliver adware, or take down a network. When researchers grab a threat, it's usually been doing the rounds for some time. Here, we've caught them in early in the act of assembling what looks like a very sophisticated operation - in fact, we've caught it so early that many of the domains called by the first infection file aren't hosting infectious files yet.

How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad.

http://blog.spywareguide.com/upload/2006/09/image23wrm3-thumb.jpg
Click to Enlarge

At this point, the command file downloads a file called csts.exe - and this is where things get interesting.

The file starts making calls to many, many domains - one of which is related to the Cuebot Worm that posed as the Windows Genuine Advantage Validation Notification.

The final port of call is a number of servers located in Korea, which are repeatedly connected to by the infection:

image23wrm1.jpg

One of these servers has a single mention in Google. As fortune would have it, and we aren't surprised, this server seems to have something of a Spam-related linkfarm going on:

http://blog.spywareguide.com/upload/2006/09/image23wrm4-thumb.jpg
Click to Enlarge

...as you might have guessed, all of those blue links lead to what are effectively spam pages. It's worth mentioning that some of the Korean servers pinged by the various infection files have been blacklisted due to spam. Is there a financial motive at work here? Hard to say, though hopefully they won't be able to get very far as they've been caught out before they could really get things moving.

Eventually, a randomly named executable is created in the System32 Folder and at this point, if the user is running AIM they will fire the following message at their contacts, the hackers using IRC channels to achieve this:

http://blog.spywareguide.com/upload/2006/09/image23wrm2-thumb.jpg
Click to Enlarge

Anyone that clicks the link and runs the file will end up continuing the cycle of infections. This attack is very well structured and "modular" in concept, so the people behind it can shuffle their executables around, download new infections to target PCs and do pretty much anything else they feel like doing.

As an example of the modular behaviour of this attack, here are just three of the many scenarios we encountered during analysis.

Scenario One

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder. At this point, you may well be part of a Botnet (though not in all cases) and the infection has the potential to call down new files onto your PC, which are randomly selected from the numerous files waiting in "storage" that have been spread around the Net.

Scenario Two

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as files with fixed, unchanging names and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams).

Scenario Three

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as d227_seven2.exe and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). You will also potentially end up with a Rootkit on your PC as a result of this particular scenario.

3) At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:

"hey is it alright if i put this picture of you on my egallery album? ", which will download the image22.com file (again, disguised as a jpeg).

4) At this point, the cycle begins again and they can look to infect fresh victims with this exploit.

As you can see, the emphasis here is not so much on the files themselves, but on the way these files are deposited onto the system. Previous Instant Messaging attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC. Here, the thrill for the bad guys seems to be in lining up as many of these "install chains" as possible - I keep thinking of a ten move combo on a fighting game such as Tekken...not a bad way to describe it, actually. What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files! The amount of effort that's gone into this kind of attack hints at a level of planning we've previously only seen here. And we're not done yet...

The Botnet Connection

Some things to note - along with their inventive use of positioning numerous downloads to hit infected machines, they also have a better-than-most idea of how to lock down their Botnet. For one thing, they won't allow you to enter the channel using a "standard" IRC client. This prevents people from snooping around. Nice idea, though there's numerous ways around this if you have an ace or two up your sleeve.

They also have various aspects password protected, though you can still obtain these here by the usual method - simply running the executables and sniffing the traffic. They also force infected machines into various channels on a regular basis - effectively herding them into new channels where they can push new installers, send out new infection messages...pretty much whatever the Botnet owners feel like doing. As always, the only limits are greed and imagination.

Though it's always exciting to catch somebody in the final stages of putting their "Masterplan" together, it's also a touch worrying as you know that they're not quite done yet. Will we see more developments from this case, much like we did with the drawn-out saga of the AIM Rootkit from the tail-end of 2005? That particular story started with Instant Messaging Rootkits, diverted down the path of a group of hackers based in the Middle-East and finished up with fake BitTorrent clients and Mr Bean movies. We think this particular group have many more executable files ready and waiting to go live, so where this one will end up is anyone's guess.

...did I mention this infection would give you a very bad day?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher
E-commerce Evaluation: Wayne Porter, Senior Director Special Research
Technical Research: Tyler Wells, Development Director.

Pages

About this Archive

This page is a archive of entries in the Instant Messenging category from September 2006.

Instant Messenging: August 2006 is the previous archive.

Instant Messenging: October 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.