Myspace: March 2008 Archives

Myspace hacking tools are a magnet for wannabe script kiddies and leet hax0rs. Here's the latest one I've seen in the last couple of days:

fmshk1.gif

....ooooh. But wait, it gets better:

fmshk3.gif

I've no idea who "Paul & Nick" are, but they'll probably attract a fair amount of people to this application (that weighs in at a tiny 24kb in size) before they realise it's a fake. Enter the Myspace page that you want to target (or leave it blank!), hit the "Hack" button and....

fakeshutdown1.gif

Whoops. Thanks to a line of code that says this:

00002A24 00402A24 0 shutdown -f -s -t 0

...the PC (as you probably already guessed) does indeed shutdown:

http://blog.spywareguide.com/upload/2008/03/fakeshutdown2-thumb.gif
Click to Enlarge

No lasting harm is done to any PC that the file is run on. We detect this as Myspace.Shutdown.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Here's an interesting twist on the usual fake profile invites I regularly receive on Myspace.

fcprofs1.gif

Normally, you click the link and are taken to a standard fake profile advertising webcams or something of a similar nature. If you refresh the page, you'll see the same content - just like a regular Myspace profile. Well, in this case the code used by the bad guys means the page is no longer static. Refreshing the spam profile will endlessly cycle through a whole raft of fake overlays and images:

http://blog.spywareguide.com/upload/2008/03/fcprofs2-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs3-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs4-thumb.gif
http://blog.spywareguide.com/upload/2008/03/fcprofs5-thumb.gif
Click To Enlarge The Above 4 Images

All of the above pop up on the profile link I was sent (you can see the URL remains the same in each screenshot).

How do they do it? Well, they're overlaying the profile page with a large clickable image, a common tactic that was used in the Myspace band hacks from a while ago. Here's the code:

fcprofs6.gif

In other words, a random image (made to look like a Myspace profile) is served from here:

free-hotwebcam(dot)com/Images/00110/KKD90g4aKKXNSTKhUvj04RO7WQDhw(dot)jpg

And clicking it will take you here:

snurl(dot)com/20h89-holo

Which redirects you to

privaterooms(dot)biz/t-main027(dot)html

...before finally leaving the end-user at the eventual destination of teen(dot)livecamfun(dot)com. The curious thing is, why would you bother to make your spam profile pages dynamic in this way? Once you've seen one, you leave it and don't go back. I can't imagine someone revisiting the page simply because the images keep changing...

Pages

About this Archive

This page is a archive of entries in the Myspace category from March 2008.

Myspace: February 2008 is the previous archive.

Myspace: April 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.