Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

The SpywareGuide Greynets Blog


May 02, 2008

  • Beware: New MSN Messenger Password Stealing Program In The Wild

A new hacking program is in circulation that lets hackers create executable files easily and with no fuss. When the victim is tricked into running the infection file, a connection is made to the attacker's PC and they can steal any MSN login details stored on the PC. Here's what the attacker sees in his newly created directory after installing the infection creation tool:


Note the selection of text files that accompany the program. We've seen a growing trend for hackers to leave copyright warnings on their programs, and messages of a similar nature elsewhere. Well, the all-out branding assault continues here:


....Belgium Power? Once they're done impressing you with the technical specs of the programs creation, they continue to hit you around the head with more information:


Once you fire up the Client, you can't help but be impressed by the clean, logical layout (very reminiscent of a spreadsheet, actually):

Click to Enlarge

Even better, the desire for being properly credited for their work runs wild here:

Click to Enlarge

According to that screenshot, they consider their Crew name to be a Trademark, and and program itself seems to be Copyrighted (All Rights Reserved). Creating the infection file is as simple as hitting the "Build It" button - when you see this, you're ready to start pushing your infection file to the masses.

Once the attacker has sent the infection file to the victim and convinced them to execute it on their PC, the attacker will be notified like so:


At that point, the attacker simply opens up the "spreadsheet" page and sees this:


The message says "Ready for action" - so very, very true. At this point, the attacker simply opens the "Passwords" tab, hits the "Get MSN Passwords" button and is presented with all the login details stored on the PC:


We detect this as PassHax.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

March 04, 2008

  • Fake MSN Live Program Steals Login Details

This application is made by the same individual who created the Win32.Spin "application". However, this is quite a bit more malicious than opening up a bunch of browser windows. The hacker chooses a PC that they know will be used by lots of different people - web cafe, library, school, wherever. They install their fake application (designed to look like MSN Messenger Live), let the victims run it, then steal their login details.

How do they do it? Well, let's take a look. First of all, the icon for the executable doesn't look too convincing, does it:


If you check out the properties for the application, you'll see something strange:


"Project1-Logs to Text Doc"? That doesn't sound like something a Microsoft application says when you right click it. The plot thickens! Finally, when you run the application, you can't move it around your desktop (it stays stuck to the middle of your screen), or click on anything bar the checkboxes and the "login" button (although obviously, it allows you to type in your username and password).

Click to Enlarge

After you hit the sign in button, you'll see this error message:

Click to Enlarge

"Windows Live Messenger can not sign you in right now, please try again later". All lies, of course. What happens now? Well, let's take a look at the code:


Sitting either side of the fake error message, we can see two things. One, the creator is called "David" - always useful to know. Two - the login details should be deposited into a .txt file in the C Directory.


....and there it is! Shall we open it up and take a look?


Success! The password has been dumped into a location where the hacker can easily retrieve it at their leisure. Ah, I hear some of you cry - where can I download this evil program?

Well, you can't. I'm sure it'll be back before long, though...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

February 13, 2008

  • A Strange Way to Disclose Your Service

We've had a few reports of the (now familiar) style of site that asks you to enter your MSN Messenger details in return for being informed who "has you blocked". The site in question is called


Not only is it a bad idea to simply fill in ANY login details on a random website you happen to come across, I don't think I've ever seen a single website offering this "service" actually carry it out successfully.

On the bright side, the site does offer you some terms of service to look at before you sign up:


Sadly, it all goes horribly wrong when you realise half the text is hidden behind the image on the right hand side:

Click to Enlarge

The site does this in both IE and FireFox. Can't say I've ever seen that before. Note that the really important part (that says your messenger contacts will be sent adverts via MSN) just happens to be hidden by the graphic. Here's how it reads with the text obscured:

By using this service you optin receiving email advertising from blockdelete.com. will receive an advertising message from you when you use this service.

Without the hidden first part, an end-user could potentially think it's talking about the opt-in Emails you receive when using the service. Now let's add the missing section back in:

By using this service you optin receiving email advertising from blockdelete.com. Your messenger contacts will receive an advertising message from you when you use this service.

A bit of a difference!

September 07, 2007

  • New MSN Virus In The Wild

There seems to be a new MSN Virus doing the rounds, in the (now common) guise of a .zip file which (of course) harbours a malicious executable.

In this case, the .zip file has a handily recognisable name:


Check out what happens to your PC if you run the file:

Click to Enlarge

The machine is pretty much buried under a 100% CPU load - if you ever wanted to experience Bullet Time, here it is minus the backflips and machine guns. Here's an example of the kind of messages you can expect to be sent from an infected user:

Click to Enlarge

With regards spread, it seems to be fairly low at the moment. The handful of infections we've seen so far include a number of forum-goers in Singapore and Japan, and a handful of people asking for help in Italian. The messages sent via the infection file seem to be fairly limited, and include:

"Who is this girl?"

"Do you remember this girl? I can't believe she took this pic..do you know her?"

"Who is this girl? She said she likes you :D"

We detect this (unsurprisingly enough) as TanyaBabe.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Deepak Setty, Senior Threat Researcher
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

August 30, 2007

  • Singworm Spreading in Singapore / Hong Kong Via MSN Messenger

Recently, I was in Singapore to give a number of talks on Spyware and Adware attacks. Interestingly, a number of people in the area Emailed me to let me know about something infecting their friends via MSN Messenger. As we investigated further, it did indeed seem to be based around the Singapore area (with a few mentions of it on Chinese forums, too). Here's a screenshot from a popular Singapore community forum:

Click to Enlarge

...and here's a screenshot from a Chinese forum:

Click to Enlarge

...note the Flag of Hong Kong in the bottom left hand corner. All the cases we've seen of this so far have been limited to the Singapore region, with a couple of individuals mentioning it on Hong Kong-centric forums. Of course, this doesn't mean there aren't other victims out there but the spread so far seems to be quite limited.

Check out this map -


There are many, many domains hosting the main Executable (dubbed "Singworm") pushed by the Instant Messaging infection link, the majority of which are hosted in Hong Kong and Taiwan. Yet another file (Winsys.exe) is downloaded from a number of different servers, one of which is apparently running out of Israel.


Variants of Winsys.exe have been known to be involved in various types of data theft, including login details, banking information and personal data.

The worm itself is mostly built for Spamming, with elements of the Stration Worm and other pieces of Malware thrown in for good measure.

It starts, as it always does, with the downloading and execution of a single file - in this case, rather oddly called "I.am.exe":

Click to Enlarge

As soon as you run the file, the system attempts to start sending spam via the collection of files already deposited on the PC. At certain points in time, the amount of Spam the system was trying to send was so much that the testbox slowed down to a crawl and a reboot was needed. Here's a few of the files dropped into the System32 Folder:

Click to Enlarge

At this point, if you have MSN Messenger the inevitable infection link will appear in the chat window of your contacts, which says "here are new smiles for MSN, they are incredible!":

Click to Enlarge

....and of course, you'll send your infection link again.....and again.....and again.....

Click to Enlarge

At this point, detection for most of the files involved in this on Virustotal.com is sketchy at best. We've notified MSN of this threat - in the meantime, if you're in the Singapore and Hong Kong regions, be aware of any strange links coming through from your colleagues...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: CC, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Senior Threat Researcher

July 20, 2007

  • Security Attacks On The Rise in IM and P2P Channels

Based on recent research Facetime has found security incidents targeting public IM and P2P channels increased by 5 percent in Q2 2007 compared with Q1 2007. In contrast, last year we saw a 35 percent decline over the same period, from Q1 to Q2 2006. We didn't cover this report recently on the blog, as the GTA story was rolling out full steam, but it is worth the time to read the analysis.

Some Highlights

A total of 317 incidents were reported during Q2 2007, bringing the total since Jan. 1, 2007, to 618 incidents. Ongoing research reaffirms a cyclical nature to malware threats with peaks in each year, typically in the spring and fall, followed by lulls in the summer and winter. In 2007, security incidents declined somewhat during the first quarter from a high in January. In the second quarter, security threats climbed again, but appear to have peaked in June. If previous patterns hold, we can expect a decline in the summer, followed by an upswing in the early fall.

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

Some Key Findings

-- Increase in IRC attacks

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

-- Single channel attacks vs. multichannel

Similarly, single channel attacks—security incidents that propagate via only one vector, such as AOL, Yahoo or IRC—now account for almost three-fourths of all attacks. The percentage of attacks that are single-channel has also risen in each of the last six quarters, growing from a 46 percent share in the first quarter of 2006 to 71 percent in Q2 of 2007.

View the full report here along with past reports. It is important to note with the rise of unified communications and Web 2.0 we can expect attacks along social vectors to become more subtle, creative and far more sophisticated.

While single channel attacks continue to dominate, in May we covered this example of an attack through Skype (the ultimate payload being the Stration Worm) with the built-in intelligence to go after other IM services. I feel this is a good example of what we can expect long-term.

Research and Summary Write-Up: Wayne Porter, Senior Director of Special Research

March 12, 2007

  • Kailash Ambwani Talks on Greynets and Perils of Web 2.0

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

January 25, 2007

  • Meet FaceTime at RSA Conference 2007- Free Expo Pass

I have just returned from Affiliate Summit West 2007 where I went scouting the current state of advertising, ethics, and what the future holds for people. I will have more on that later I will say that giant waves seem to be rippling under the surface, and *maybe* in the direction of cleaning up some of the problems...no miracles are in sight, but I saw some positive signs for a change.

With that jaunt over I have to dig in to grab a day or two of rest and then prepare for the RSA show with colleague Chris Boyd...Want to meet him? Now you can! He might do an autograph, conduct a symphony, or show you cool bow staff fighting skills as a bonus. He really CAN do that kind of stuff.

I wanted to take a moment here at the labs to cordially invite you to meet up with us at the RSA conference in San Francisco Feb 5-9. Yes- spend some facetime with FaceTime Communications, the leading provider of solutions for securing and managing instant messaging, peer-to-peer file sharing and Web-based greynets.

Where will you all be?

We will have folks at Booth #2537. Paperghost and I will be there and perhaps other places too...skulking about, being a general menace, and the usual things we do at events- look around, talk to people, and try to snag food.

What is RSA?
Recognized as the largest IT security conference and expo, RSA Conference 2007 is a must-attend event. With a variety of conference tracks to select from, you'll learn strategies to address today's information security problems, and gain insight into the issues of tomorrow. FaceTime is presenting not one, but two presentations for your enjoyment.

Presentation One

February 7th, 9:10 AM - 10:20 AM
Session Code: 2069
Botnet Live: Tracing, Chasing and Building the Case to Bust the Bad Guys
Speakers Chris Boyd and Wayne Porter, FaceTime Security Labs


This presentation is by Wayne Porter, yours truly, and led by the kung-fu style malware fighter Chris Boyd a.k.a. PaperGhost- we work in the labs doing all kinds of things you normally would not think about. For a little background on some of this I strongly suggest you check out the podcasts we did a few months ago- because they set the stage for just how incredible the cascade of events can become when you follow the story deep, deep into the abyss. We will also talk a bit about social media, the importance of being out in the field, economics and actually talking to people. Chris, who is a masterful story teller will give you a pretty amazing tour of the underbelly.

The Podcasts

Teaser Cast

Spyware Warriors and the Digital UnderGround Podcast: Part 1 and Part 2.
You can even download them into mp3 format and listen on the go.

Next Up....Our CEO in this Peer2Peer session....

February 7th, 12:30 PM - 1:20 PM
Session Code: P2P-204B
Skype and IM at the Office: User's Birthright or Security's Death Sentence?
Moderated by FaceTime President and CEO, Kailash Ambwani


Kailash, our CEO, while perhaps not as dashing as we research types in the drawn form you see before you, he knows his stuff when it comes to business communications and when you get a title with "Birthright and Death Sentence" in one line...well how can you not be intrigued? Given VoIP and IMs rapid adoption this is a must attend panel- especially if you want to understand some of the legal ramifications and understand the nature of greynets- when good can be bad, and bad can sometimes be good. It is all a matter of perspective and policy.

Want to meet other FaceTimers? Check in at booth #2537 to see demos of our products and solutions, including the recently announced FaceTime Internet Security Edition which includes our award-winning RTGuardian appliance- you can find more about it on the FaceTime Security Products Site.

This is a bit of a pitch, so you are warned, but this is what we do- We combine core gateway security capabilities such as Web filtering and anti-spyware with security for today's greynet applications on a single platform with common policy and management. The FaceTime Internet Security Edition reduces complexity and increases efficiency of the enterprise security infrastructure to reduce overall total cost of ownership. We will also have demonstrations of our flagship instant messaging security and compliance solution, FaceTime Enterprise Edition, will also be available. Why the big deal? FaceTime Enterprise Edition helps organizations meet the new eDiscovery regulations (here for whitepaper) for electronic communications that went into effect December 1, 2006.

So please be our guest we would love to meet you. You can even attend the RSA Conference 2007 Expo compliments of FaceTime. Just register at http://www.rsaconference.com/2007/us/ and use code EXH7FAC for your FREE Expo Pass - a $100 value!*

We hope to see you there!

* You must pre-register before February 2, 2007 for your FREE Expo Pass. Make a note of it!

January 16, 2007

  • FaceTime Reports IM & P2P Malware is Packing a Bigger Punch

Our yearly review of Instant Messaging and Peer to Peer threats has hit the streets, and the results can be seen here. A combination of data from recent analysis and the October 2006 Greynets Survey, the overall picture is that of a security landscape where the number of threats has reduced since 2005, but the danger has actually increased. There is also a focus on what these problems mean for businesses, and the fact that these issues affect companies both small and large - no one is immune.

"Despite myriad security technologies employed by enterprise IT managers to block malicious attacks, the user is often the biggest vulnerability, especially on the real-time, socially-networked Web" said Frank Cabri, vice president of marketing for FaceTime Communications. "In 2007, the biggest security risk for organizations is likely to be their own users, as employees install consumer-oriented greynet applications onto their workplace computer faster than the IT team can keep up with the corresponding controls."

...I'm sure if you work in a large environment where everyone is in front of a PC you can relate to the above scenario - how many people do you personally know involved in covert installs of their favourite IM client, game or other program on a work PC? You might want to consider some covert moves yourself next time you see them and warn them of the dangers they're potentially bringing into the office!

November 11, 2006

  • IM Security Term of the Week: "Foley'ed"- E-Discovery Day

In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)

"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."

And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.

"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."

"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."

Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.

Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]

This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.

E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.

So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):

[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.

Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...

Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.

To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.

Other important points:

* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.

* Depending on the software, users who are online may have the ability to respond to messages.

* Users may also block other users with whom they do not want to exchange messages.

* Users may only communicate with others using the same or a compatible client software.

How does IM differ from email?

Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.

Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.

Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...

Does IM content qualify as a Federal Record?

The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.

Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...

In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.

October 17, 2006

  • More on Mark Foley Scandal Messages and our CEO Speaks On Topic

Mark Foley Scandal Rages On Over Instant Messages (IM)

Excepts and citations from the Wikipedia on the Foley Scandal. To learn more about what this means in terms of government and business and how IM documents should be treated as any other watch this Fox news segment from Kailash Ambwani, CEO of Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and not logging Instant Messenging can put a big business at a big risk.

Foley's e-mails to the former Congressional page in Louisiana, who was 16 at the time, said in part:

"I am in North Carolina...and it was 100 in New Orleans...wow that's really hot...well do you miss DC...it's raining here but 68 degrees so who can argue...did you have fun at your conference...what do you want for your birthday coming up....what stuff do you like to do,"


"I just emailed will...hes such a nice guy...acts much older than his age...and hes in really great shape...i am just finished riding my bike on a 25 mile journey..."

"how are you weathering the hurricane....are you safe…send me an email pic of you as well...."

The instant messages from 2003 that ABC obtained after its initial story were much more explicit than the e-mails from 2005 sent to the Louisiana page, and reportedly with a former page now employed in Oklahoma. According to several former congressional pages, the congressman used the screen name Maf54 on these messages. One exchange included:[

Maf54: do you really do it face down
Teen: ya
Maf54: kneeling
Teen: well i dont use my hand...i use the bed itself
Maf54: where do you unload it
Teen: towel
Maf54: really
Maf54: completely naked?
Teen: well ya
Maf54: very nice
Teen: lol
Maf54: cute butt bouncing in the air

In another exchange, Foley proposed to meet with a former page:

Maf54: I want to see you
Teen: Like I said not til feb…then we will go to dinner
Maf54: and then what happens
Teen: we eat...we drink...who knows...hang out...late into the night
Maf54: and
Teen: I dunno
Maf54: dunno what
Teen: hmmm I have the feeling that you are fishing here...
im not sure what I would be comfortable with...well see

An exchange that took place in April 2003 apparently reveals Foley engaging in cybersex with an eighteen-year-old former page as the House voted on an emergency supplemental appropriations bill to fund the Iraq War; the released portion does not contain the purported cybersex exchange:

Maf54: ok..i better go vote..did you know you would have this effect on me
Teen: lol I guessed
Teen: ya go vote…I don't want to keep you from doing our job
Maf54: can I have a good kiss goodnight
Teen: :-*

In another exchange, Foley appeared to invite the same page to his apartment with a friend to consume alcoholic beverages:

Maf54: we will be adjourned ny then
Teen: oh good
Maf54: by
Maf54: then we can have a few drinks
Maf54: lol
Teen: yes yes ;-)
Maf54: your not old enough to drink
Teen: shhh…
Maf54: ok
Teen: that's not what my ID says
Teen: lol
Maf54: ok
Teen: I probably shouldn't be telling you that huh
Maf54: we may need to drink at my house so we don't get busted

- For another transcript visit ABC News (warning explicit language)

- Kailash Ambwani Video on Foley Incident and Instant Messenger auditing and control.

October 10, 2006

  • Mark Foley- Government IM and What Does It Mean?

There has been quite a bit of controversy over the "Mark Foley Scandal".

From the Wikipedia:

Mark Adam Foley (born September 8, 1954 in Newton, Massachusetts) was an American Republican politician and a member of the United States House of Representatives from 1995 until 2006, representing the 16th District of Florida.

Foley resigned from the U.S. Congress on September 29, 2006 after it surfaced that he had sent sexually explicit instant messages[1] to former Congressional pages who were both under and over the age of 18.[2] [3][4]. He had previously been warned about "overly friendly" emails to former Congressional pages. As a result of the disclosures, the Federal Bureau of Investigation (FBI) and the Florida Department of Law Enforcement (FDLE) opened an investigation of the messages to find possible criminal charges

Given the government has put into effect all kinds of laws about digital messenging to protect people:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

One has to wonder who watches the government for oversight in the digital realm? That is beyond my scope of knowledge, but companies might think about what a scandal like this might mean to them.

So where do you start? First figure out how much instant messenging traffic is going on in your network. Facetime has a free tool called the RTMonitor that can help with this.

Also get educated. Establish some IM policies- don't let incidents establish you. Facetime sponsored this whitepaper from the ReymannGroup.

A little snippet:

"...With the increased privacy and security awareness among businesses, customers, and our elected officials, traditional best practices are being incorporated into new laws and regulations that define a higher security standard that all affected organizations must achieve. Information security is no longer only a prudent business decision, it is mandated!..."

It's free and has a handy checklist too.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup)
[Direct Download PDF]

September 22, 2006

  • IM Worm Attack Cloaked in Virtual Card Hoax- W32Heartworm.A

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

Click to Enlarge

Click the link, and you're taken to the below website:


Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

September 18, 2006

  • Pipeline Worm Floods AIM with Botnet Drones

Proactive research on security threats is the key to catching hidden threats before they can collect confidential data, deliver adware, or take down a network. When researchers grab a threat, it's usually been doing the rounds for some time. Here, we've caught them in early in the act of assembling what looks like a very sophisticated operation - in fact, we've caught it so early that many of the domains called by the first infection file aren't hosting infectious files yet.

How does this infection start off? As always, it begins with a seemingly innocent web address passed to you via Instant Messaging. Click the link and allow the file to execute and your day will quickly go bad.

Click to Enlarge

At this point, the command file downloads a file called csts.exe - and this is where things get interesting.

The file starts making calls to many, many domains - one of which is related to the Cuebot Worm that posed as the Windows Genuine Advantage Validation Notification.

The final port of call is a number of servers located in Korea, which are repeatedly connected to by the infection:


One of these servers has a single mention in Google. As fortune would have it, and we aren't surprised, this server seems to have something of a Spam-related linkfarm going on:

Click to Enlarge

...as you might have guessed, all of those blue links lead to what are effectively spam pages. It's worth mentioning that some of the Korean servers pinged by the various infection files have been blacklisted due to spam. Is there a financial motive at work here? Hard to say, though hopefully they won't be able to get very far as they've been caught out before they could really get things moving.

Eventually, a randomly named executable is created in the System32 Folder and at this point, if the user is running AIM they will fire the following message at their contacts, the hackers using IRC channels to achieve this:

Click to Enlarge

Anyone that clicks the link and runs the file will end up continuing the cycle of infections. This attack is very well structured and "modular" in concept, so the people behind it can shuffle their executables around, download new infections to target PCs and do pretty much anything else they feel like doing.

As an example of the modular behaviour of this attack, here are just three of the many scenarios we encountered during analysis.

Scenario One

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder. At this point, you may well be part of a Botnet (though not in all cases) and the infection has the potential to call down new files onto your PC, which are randomly selected from the numerous files waiting in "storage" that have been spread around the Net.

Scenario Two

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as files with fixed, unchanging names and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams).

Scenario Three

1) "hey would it be ok if i upload this picture of you to my blog?" downloads the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder.

2) The infection has the potential to call numerous other files, such as d227_seven2.exe and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). You will also potentially end up with a Rootkit on your PC as a result of this particular scenario.

3) At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:

"hey is it alright if i put this picture of you on my egallery album? ", which will download the image22.com file (again, disguised as a jpeg).

4) At this point, the cycle begins again and they can look to infect fresh victims with this exploit.

As you can see, the emphasis here is not so much on the files themselves, but on the way these files are deposited onto the system. Previous Instant Messaging attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC. Here, the thrill for the bad guys seems to be in lining up as many of these "install chains" as possible - I keep thinking of a ten move combo on a fighting game such as Tekken...not a bad way to describe it, actually. What's smart about this attack is that it doesn't matter if you get a file "out of step" - if you start off with a particular file out of sequence, you'll just end up somewhere else in the chain instead. There is no right or wrong place to start with this one - the hackers will make sure you get your fill of infection files! The amount of effort that's gone into this kind of attack hints at a level of planning we've previously only seen here. And we're not done yet...

The Botnet Connection

Some things to note - along with their inventive use of positioning numerous downloads to hit infected machines, they also have a better-than-most idea of how to lock down their Botnet. For one thing, they won't allow you to enter the channel using a "standard" IRC client. This prevents people from snooping around. Nice idea, though there's numerous ways around this if you have an ace or two up your sleeve.

They also have various aspects password protected, though you can still obtain these here by the usual method - simply running the executables and sniffing the traffic. They also force infected machines into various channels on a regular basis - effectively herding them into new channels where they can push new installers, send out new infection messages...pretty much whatever the Botnet owners feel like doing. As always, the only limits are greed and imagination.

Though it's always exciting to catch somebody in the final stages of putting their "Masterplan" together, it's also a touch worrying as you know that they're not quite done yet. Will we see more developments from this case, much like we did with the drawn-out saga of the AIM Rootkit from the tail-end of 2005? That particular story started with Instant Messaging Rootkits, diverted down the path of a group of hackers based in the Middle-East and finished up with fake BitTorrent clients and Mr Bean movies. We think this particular group have many more executable files ready and waiting to go live, so where this one will end up is anyone's guess.

...did I mention this infection would give you a very bad day?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
Technical Research: Chris Mannon, FSL Senior Threat Researcher
E-commerce Evaluation: Wayne Porter, Senior Director Special Research
Technical Research: Tyler Wells, Development Director.

August 08, 2006

  • The AIM Screen Name Hacker - Beware or Be Snared!

Our team has discovered a rather nasty little program currently in circulation relying on trickery and the desire to obtain "secret" information to get itself installed. Once onboard the machine, it has the potential to steal banking information, drop you into a Botnet and generally give you a very bad day as your computer becomes a drone controlled by an unknown botmaster.

The vector of attack appears to be focused in the chat realm - across AIM Chat, IRC Chat and regular web-based chat. The link usually looks like this:

Hi, have you ever wanted to sign on your buddies AOL Instant Messenger screen name, but never had the password? Well there has been a new break in the AIM servers that is allowing this vital information to be revealed. check the pro for more info!

Clicking the link takes you to the below website:

Click to Enlarge

The download link to the infection file has now changed (though the application "homepage" is still the same), but a quick check of where the file was being called from would hopefully have set some alarm bells ringing:

Click to Enlarge

As you can see, the attackers are hosting numerous dubious sounding files, including a jpeg.exe and "Windows.exe" - otherwise known as the Feldor Trojan.

After installing the program, it reboots your computer and, as you can imagine, deposits a number of files you would rather not want on your system. However, the average end-user probably wouldn't think to check what's been placed in their System32 Folder. They'll enter the desired AIM Contact Details, run the tool and...

Click to Enlarge

...they'll be told that AIM has "fixed the vulnerability" in their software. Sounds convenient. Sadly, uninformed users will probably shrug and forget about the program altogether. This would be a mistake. Let's take a quick jump over to the System32 Folder...


You can see Windowsxp.exe - a banking Trojan, and the previously mentioned Windows.exe process. In case you're wondering, the AIM Screen Name Hacker's uninstaller does actually work, but (thoughtfully) leaves the infection files behind.

As a parting thought, it's worth noting that depending on which version you happen to download and install, you may well find your PC turned into a Botnet drone. As always with a program like this, it's worth remembering...if it looks too good to be true, it probably is.

Remember chat programs can harbor threats just as dangerous or more so than what you see on the Web. Keep your guard up and don't click on links in chat programs or chat rooms or run programs of a dubious nature- especially if you don't know the buddy you are chatting with. Even if you do know them that doesn't make it 100% safe either, as many programs rely on the "circle of trust" dynamic to do their dirty work and spread their mayhem.

Key Terms To Learn: Botnet- Drone- Chat Rooms- Trojan

Research and Blog Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher
Secondary Research: Wayne Porter, Senior Director Greynets Research

June 05, 2006

  • Skype, IM and VoIP Ignite- The Enterprise Will Embrace

Skype continues to bring new firsts to everyone's Internet social and work experience- myself included. First there was a strange SPIM ambush [define SPIM] and now something more interesting.

Before I get into the experience and in order to fully understand and appreciate why I find this experience so progressive, I need to back up a decade ago to the launch of a company called Mirabilis. Mirabilis made the ICQ product. ICQ, short for "I Seek You", was launched over a decade ago by three enterprising Israeli entrepreneurs. ICQ drove online communications out of message boards and forums and into real time text chat. Back in 1997 ICQ really changed how I and many others operated online. Instead of waiting for e-mails to bounce back and forth you could message in real-time. Before that time the closest I had come to chat was on dial-up Bulletin Board Systems that hade multi-chode chat and three inbound phone lines. With IM development, feedback and collaboration suddenly became easier, faster and it cut down geographical barriers and fused the world at incredible speed. It was life and business changing for many people and a very exciting time to experience.

Naturally it was first adopted by technical userers who immediately grasped the concept. It also became essential for online team gaming like Quake, where you had to organize players before a match of TCP/IP based gunslinging action. Families and friends began to use it to communicate, form relationships, stay up to date and it also provided small businesses and virtual workers a whole new way to do interact. Because of the social nature of Instant Messaging it propogated like wildfire passing by word-of-mouth, e-mail and community.

While I still retain my original ICQ number, the digits are so low I simply can't let it go, I have forsaken ICQ and even AOL IM for the most part. I have moved on to Skype. Skype offers voice chat, web cam ability, conference ability and file transfers among other options.

Skype is free, easy to use and fairly good quality for voice calls- plus you can dial land lines or get a SkypeIn number- for free. I keep it open most of my work day, unless I don't want an interruption. With Skype on the desktop I am able to work and communicate with people around the world at the click of a button- it is absolute critical for working global research. If you stop and think about it that is extremely powerful. This is the next wave for the Enterprise too, as customers will demand to interact with businesses in the format they choose.

One look at Google trends of Google Chat and AIM versus Skype shows just how monumental and fast Skype use has ignited. So on with my experience...

Recently Chris Boyd and had a conversation with a reporter from a very high profile magazine. That isn't news of course. We do that all the time. What was novel is that we did it via Skype. That may not seems like a big deal, but this reporter didn't flinch when it was suggested we utlilize Skype to connect everyone- no problem at all!

I simply cannot imagine that happening two years ago. Having a Skype call with a technically savvy reporter is progressive and underscores how businesses are adopting this communication tool for their work. Skype is becoming as ubiquotous as Google if you think about terms like "Skype Me" or "Google It".

Naturally all of this free communication without the barriers doesn't come without some risk. IM networks can be attack vectors for worms as we detailed in a recent threat and as with any virtual communication you don't know for sure that who you are talking with is really are who they claim to be. In many cases threats from unknown people with unknown agendas can be risky too.

Instant Messaging is a rich petri dish for social engineering and it is also laced with fast-circulating rumors. Going back to ICQ again one of the old and long standing ICQ rumors was that Mirabilis was going to charge for their service. It never happened and AOL bought ICQ a few years ago, but that didn't stop the rumors from flying all across the Web fueled by the IM medium. Many people believed the rumors if the outcry on the Web was accurate.

In terms of businesses many are starting to embrace IM and VoIP and this is partly powered by the incredibly lush features and partly because employees themselves are introducing the tools into the Enterprise on their own. Soon businesses cannot afford not to embrace it because their customers will be demanding it in tandem. Enterprise IM applications are great if you want to communicate inside the Enterprise only, but all businesses have customers and these customers will set the tone for how they want to communicate with the business.

Will Skype supplant land lines? Probably not anytime soon, but lots of home users and business users are embracing it at a rate that is astounding. Voice 2.0 is upon us and it is an exciting time to be on the Internet.

May 24, 2006

  • Understanding Enterprise IM- Free Seminar

For the enterprise downloading and using free consumer IM clients and P2P file sharing applications can invite viruses, worms and other security risks. Businesses must understand the challenges to their organization and if they are at risk for non-compliance with policies or regulations, intellectual property loss or worse.

Thankfully you don't have to give up IM to protect your enterprise. In this eSeminar learn how Microsoft Office Live Communications Server 2005 enables real-time communications. With proper management, it improves business efficiencies and increases productivity. Many leading organizations are already benefiting from this flexible enterprise IM solution.

Find out how companies are maximizing the value of their Live Communications Server investments with FaceTime Enterprise Edition. With FaceTime, you can stop rogue public IM use, detect and block applications like Skype 2.0 and ensure full compliance with state and federal regulations.

Join Marc Sanders from Microsoft and Eric Young from FaceTime as they explore:

- Pros and cons of enterprise-grade vs. free IM
- Transitioning from multiple public IM clients and P2P applications to a safe, secure, collaboration environment
- An example of how two companies have fully leveraged IM with FaceTime and Live Communications Server

The eSeminar is free click here to register.

Implementing Safe, Secure Enterprise-Grade IM
June 1, 2006 @ 12:30 p.m. Eastern/9:30 a.m. Pacific
Duration: 45 minutes

April 11, 2006

  • My First Experience with SKYPE Spim / Spam- Instant Classic

Skype, recently acquired by eBay, is becoming a very popular Instant Messenging client. You can text chat, hold conferences, send files and most importantly talk in real time with wonderful clarity. Not only can you talk to just those on your Skype list, but you can also by credits to dial out to real world lines. Skype is a proprietary peer-to-peer Internet telephony (VoIP) network, founded by Niklas Zennstrom and Janus Friis, the creators of KaZaA.

I have been using Skype for sometime but never before had I received an unsolicited commercial message in my months of usage. In terms of e-mail this is commonly called spam but on instant messenging networks this is called SPIM. In short someone contacts you hawking goods and wares, or anything that you don't want. You don't know them, you did not contact them, did not opt-in to be contacted by them, in short they simply hammer out commercial messages in hopes someone will buy.

I found this case particularly interesting because, as I said before, I had never received SPIM through Skype (and fortunately it is easy to block a user.) In this case I decided to "play" with the spammer to gauge their response and have some fun and games.

Would they ignore me? Hit me with more unwanted spam? Or are they truly ignorant? Find below the full transcript of our "conversation". Obviously near the end I was pretending to execute various "commands" on her machines when in reality I was doing nothing but typing in all caps simulating a "look up" of who they were.

This spammer was not harmed in the incident, but let's hope they don't do it again. Read on...

The first part of the transcript is the list of brand new units of phones they sell, below it you will find our "dialogue" and my simulated commands of geolocation as I tried to steer this spammer into the path of not doing it again. I doubt that will work, but it is amusing nonetheless. More below...

Continue reading "My First Experience with SKYPE Spim / Spam- Instant Classic" »

March 18, 2006

  • More On The Botnet Bust...

Check out my interview with Internetnews.com. From the article:

"We had a tip-off from an individual known as RinCe," Chris Boyd, security research manager at FaceTime, told internetnews.com. "With his assistance, we were able to map the activities of these groups in great detail. From there, it was a case of analyzing all the files, making the right connections, finding compromised servers and gathering more data."

...and how sweet it is.

When you're done there, we have more coverage on Techweb :

"They're using the kitchen sink approach times one hundred," said Boyd.

As far as notable quotables go, that's a cliche-laden screamer, wouldn't you say? On the other hand, it's a more than accurate description of the scam at hand. Stay frosty...

March 15, 2006

  • IM E-commerce Database Theft

Not good, is it? Bad guys using custom built scripts to steal card data from payment databases. Botnets. Adware installs. The whole nine yards. For a quick summary of what we found, read this, and this. When you're done with those, you might want to check out our interview with the guy who provided the initial tip-off, RinCe.

My humble opinion? One of the nastiest scams I've come across, and proof (if it were needed..which it isn't) that kids are happily swapping your card details like Pokemon cards and they really couldn't care less. Bottom line - start thinking protection, or else it'll soon be a case of damage limitation.

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.