Results tagged “MSN” from SpywareGuide Greynets Blog

"No Longer Available..."

By
Christopher Boyd
on April 14, 2009 10:52 AM |
nolongeravphe1.gif

Yesterday, I wrote about an IM password stealer available to download from sites such as ZDNET / cnet.download.com. Well, it now appears to have been flushed from all related websites.

Thanks to the Download team for their quick response - they've shown a commitment to removing rogue elements from their download sections in the past, and incidents such as this seem to be few and far between.

Tags:

Instant Messaging Password Stealer Available From Major Download Sites

By
Christopher Boyd
on April 13, 2009 8:14 PM |
Generally, download sites do a good job of keeping potentially undesirable programs off their network. You might see the oddly titled "family keylogger" program and wonder about the ethics of such a utility, but leaving those rather dubious grey areas aside, mostly things take care of themselves.

However, while browsing the cnet.download.com site today, I happened to find something rather peculiar in their "Network Monitoring Tools". Namely, this:

apheve101.jpg
Click to Enlarge

As soon as I saw the creator description of the program, I knew something wasn't quite right:

"Apheve is a great piece of software that has the ability to disguise itself as multiple IM programs including MSN, Skype, and BT Yahoo.This is perfect if a visitor is coming round who wants to access their IM account."

Wait, it "disguises" itself as multiple IM programs? And its name sounds like a bizarre slang version of the word "thieve" (A Pheve)?

Oh dear.

As you might expect, the program is available to download on numerous sites, including CNet Asia and ZDNet UK. Up for grabs since May 2008, the number of downloads is somewhat alarming:

18,214 download.cnet.com


9186 CNET Asia

455 ZDNET.co.uk

Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people (possibly) running round trying to steal your IM logins. (Check out the comments for more thoughts on what all those people may....or may not....be using the program for).

Did I say steal? Yes, I did. Presenting.... "Apheve":


aphevez0.PNG

Quite simply, you select the IM client of your choice - MSN Messenger, Yahoo IM or Skype - and hit the "Start!" button. Then you retreat to a safe distance and let your victim use the PC. As we've seen before, these kinds of programs work great for scammers in net cafes, libraries and schools / universities.

The victim will see one of these:

aphevemsn.PNG
Click to Enlarge

apheveyahoo.PNG
Click to Enlarge

Of course, both of those IM boxes are entirely fake. Should you enter your login details, you'll be shown an error message and wander away from the computer feeling vaguely annoyed. Meanwhile, the attacker jumps onto the same computer and clicks on the apparently harmless looking fake icon in the Taskbar - in this case, a picture of a DVD / CD:

fakeaphevetooltip.PNG

....and is presented with your login information, courtesy of a nifty popup box:

apheveskype2.PNG
Click to Enlarge

Is it just me, or does that go a little beyond the scope of "Monitoring Software"?

The program has absolutely no reason to exist other than harvesting login credentials.

Even the choice of targets seems designed to cause as much trouble as possible - Skype accounts will probably have unused call credit stored against them, Windows Live accounts may well be linked to EMail as well as IM, potentially giving access to yet more personal information, logins etc.

Any claim by the creator that this is intended for "network security" is fairly blown out of the water when we check out his Youtube channel, only to find...

apheve4.jpg
Click to Enlarge

...he's promoting it with the title "How to hack Msn, Skype or Yahoo with Apheve 1.1", with "Apheve pro - The ultimate hacking tool" in the description.


The only good thing here is that due to the program being around for a while, the fake versions of Skype, Windows Live Messenger etc look rather outdated and not very much like the real, current versions. The DVD / CD icon in the corner could also be a giveaway, though of course you can change that if you really want to.

We've EMailed the Downloads team, and will post again when we hear back from them.

Given the rather single-minded purpose of this application, I'm a little surprised it managed to squeeze through the cracks. The above download sites may well be "Tested Spyware Free", but they're currently not "Tested Horrible IM Stealing Piece of Junk Free".

Hopefully that might change shortly...

Tags:

Stop: Spammer Time

By
Christopher Boyd
on April 9, 2009 1:30 PM |
Awful title gag aside, it seems someone is having a little fun in MSN Messenger land.

They've gone out and phished a number of accounts, then added all the people on their contact lists into one single file available to download.

msnhrsz1.jpg

Why? So you can add all 976 of them to your contact list then start spamming / harassing them.

msnhrsz2.jpg

Of course, the "MSN harassment list" has one fatal flaw - you don't HAVE to accept that random friend request that just popped up on your desktop.

So don't :)

Tags:

Back To The Drawing Board

By
Christopher Boyd
on April 6, 2009 11:03 AM |
1mkmsn.jpg
Click to Enlarge

While looking into a set of hacking tools recently, I came across a set of screenshots pasted into the creator's image gallery. They're a series of pictures detailing the various steps involved in the process of creating a fake MSN Live application.

We've removed quite a few duplicates (and blanked one or two things out) but if you want to experience the rather surreal sensation of watching someone create a data theft tool, click here to view the gallery.

Tags:

Beware: New MSN Messenger Password Stealing Program In The Wild

By
Christopher Boyd
on May 2, 2008 5:28 PM |

A new hacking program is in circulation that lets hackers create executable files easily and with no fuss. When the victim is tricked into running the infection file, a connection is made to the attacker's PC and they can steal any MSN login details stored on the PC. Here's what the attacker sees in his newly created directory after installing the infection creation tool:

msnhxr1.jpg

Note the selection of text files that accompany the program. We've seen a growing trend for hackers to leave copyright warnings on their programs, and messages of a similar nature elsewhere. Well, the all-out branding assault continues here:

msnhxr2.jpg

....Belgium Power? Once they're done impressing you with the technical specs of the programs creation, they continue to hit you around the head with more information:

msnhxr3.jpg

Once you fire up the Client, you can't help but be impressed by the clean, logical layout (very reminiscent of a spreadsheet, actually):

http://blog.spywareguide.com/upload/2008/05/msnhxr4-thumb.jpg
Click to Enlarge

Even better, the desire for being properly credited for their work runs wild here:

http://blog.spywareguide.com/upload/2008/05/msnhxr7-thumb.jpg
Click to Enlarge

According to that screenshot, they consider their Crew name to be a Trademark, and and program itself seems to be Copyrighted (All Rights Reserved). Creating the infection file is as simple as hitting the "Build It" button - when you see this, you're ready to start pushing your infection file to the masses.

Once the attacker has sent the infection file to the victim and convinced them to execute it on their PC, the attacker will be notified like so:

msnhxr12.jpg

At that point, the attacker simply opens up the "spreadsheet" page and sees this:

msnhxr10.jpg

The message says "Ready for action" - so very, very true. At this point, the attacker simply opens the "Passwords" tab, hits the "Get MSN Passwords" button and is presented with all the login details stored on the PC:

msnhxr11.jpg

We detect this as PassHax.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, FSL Senior Threat Researcher

Tags: