The SpywareGuide Greynets Blog

An MSN Worm appears to be in the wild which retains some of the functionality of a worm mentioned here, but with some additional features (such as sending spam, for example).

Initially, it sends the victim a message regarding Myspace (in our testing, this was the only message it sent, unlike the worm linked above which had numerous options to choose from):

Click to Enlarge

Before you know it, you'll be sending lots and lots of spam - I hope your friends are looking for high quality luxury watches:

Click to Enlarge

Finally, the payload drops a file onto the computer that attempts to execute remote code - it seems they're attempting to exploit victims with this.

Here's the (randomly named) file in question that causes this, deposited into your System32 Directory:

Click to Enlarge

We detect this as MN.Spooler.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Posted by Paperghost at 01:34 PM | Permalink | Comments (0) | TrackBacks (0)

There is a lot of talk out there in the Ether about worms that are spreading through MSN clients and adding unsuspecting users to their botnet. These kinds of attacks are among the most dangerous, and pose a very real security threat. It doesn't take much of an imagination to think that these attackers will DDoS attack their enemies. There are dozens of these kinds of worms floating out there however. FSL recently uncovered one we dub, NextDoor. Like the other worms of its kind, once it is on the infected PC it will attempt to contact all contacts in order to infect more users. The difference in these worms is what they do to the victim after they have been attacked. Some will simply show advertisements or a wide variety of porn; others tend to log keystrokes of the victim in order to learn very sensitive information like passwords or credit card information. NextDoor installs a dialer (called Carlson Dialer) onto the victim's PC to make long distance calls.

First you will see a suspicious looking message with a .zip attachment.

Party_jpg.zip contains www.Party_jpg_Msn.com.

Of course your involvement after this step isn't necessary. From here the worm commences with its attack.

NextDoor creates a connection to an IRC channel and begins to pull down infected files using FTP.

Now we see what has been installed onto the victim's machine.

The file with the ominous looking icon is the dialer that is installed by this worm.

The actual MSN worm is stored in the Windows Directory.

These 2 files are involved in setting up an FTP connection with the attacker.

Now that your computer is entirely infected, Carlson Dialer begins its main function.

It geographically finds the victim's IP address and associates it with a country code.

This is what it would look like in a regular browser...

To get an idea of how recently this worm was updated...

The infection that FSL came across first has been around his Nov. 26 2007.

Those aren't normal .jpgs either. Those are dialers that use the JPG vulnerability.

Each .jpg file on the attacker's site uses the JPG vulnerability.

Facetime currently protects against this threat as well as the dialers it installs.

Posted by Chris Mannon at 08:05 AM | Permalink | Comments (0) | TrackBacks (0)

Today we came across a file that sends infection links via Skype, the latest in a long line of Stration / Warezov variants to do such a thing.

However, this one does a few things we've not seen before from this kind of file. Yes, it's a Stration variant and so will attempt to steal your Email as standard. What's unusual here is the amount of files it drops, and (more creepily) the message that gets sent. I'm not too sure how well news of the disappearance of Madeleine McCann has spread across the Atlantic, but here in Europe (and a few other places) the news continues to rage on with an endless stream of sightings and theories.

So as someone based in the UK, and confronted with the latest developments in this case every day via TV, radio and the Internet, the following random message with its very specific wording generated a really strange resonance for me:

To me, this is attempting to play into the heightened sense of "a stranger on every street corner" in a very deliberate fashion. Obviously it's not a direct reference to the McCann case, but the intention of playing upon the current media frenzy regarding the safety of children and / or females in general is clear. Of course, the file being pushed is an executable named "Photo" to further the social engineering bid:

Click to Enlarge

It's worth noting (aside from the rather distasteful spam message) that the payload is a lot bigger than what we've typically seen from these sort of installs in the past (there's a fair amount of CPU drain while the install takes place, too). Here's what you'll find in your System32 Folder:

And here's what you'll see in your Windows directory if you take a look around:

Some of the files dropped seem to be a little random - again, previous Skype hijacks of this nature that we've seen tend to install the same thing almost every single time.

Part of this infection searches all files with the following extensions looking for e-mail information to steal:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml

You might want to block all of the following (if you don't already have them on your ban list, that is):

78.106.123.40
217.75.214.4
79.196.245.234
78.106.123.40
qeruikipoikinfandes.com
217.75.214.4
xasedriwasderios.com
kadesuitungenfunhansde.com

If you're interested, you can see a little more on the Warezov gang URLs here at the F-Secure blog.

The obvious advice here is to try and resist any and all seemingly well intentioned messages sent out of the blue via Skype. We detect this as Is4GRL.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Posted by Paperghost at 09:25 AM | Permalink | Comments (0) | TrackBacks (0)

Sometimes we obtain files and they just sit there, doing nothing. Here's a case where we went back for a second look and lots of IRC activity eventually kicked into life. This particular infection takes place as follows:

1) The bad guys infect your PC with an initial infection link, dropping you into a Botnet.

Click to Enlarge

2) The Botnet is fired up periodically and they deposit a collection of Zipfiles (each containing more infections) onto your PC.

Click to Enlarge

3) Infection commands are then sent via IRC to tell the infected PC to send your contacts infection links to the Zipfiles stored in your Windows directory.

Click to Enlarge

Some of the infection messages include

"Look at my new dancing movie"

"Look at me doing the moonwalk!!"

"Look what I found, more nude pictures of Justin Timberlake!"

We detect this (naturally enough) as JT.Moonwalk.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, Senior FSL Senior Threat Researcher

Posted by Paperghost at 09:53 AM | Permalink | Comments (0) | TrackBacks (0)

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

Posted by Chris Mannon at 01:33 PM | Permalink | Comments (1) | TrackBacks (0)

As mentioned on the Official Skype Blog, there is indeed a new worm in the wild - someone, somewhere came up with w32/Ramex.A as a name but I thought "Bubbles" was more appropriate, as you'll see.

Everything starts with a user downloading this file:

Click to Enlarge

Presented as an imagefile in the infection message, it's actually an .scr file - and no, that's not good.

This file has been compressed to perfection:

Click to Enlarge

....yep, that's 2k infection file. Yet there's a whole lot of trouble in such a small package:

Click to Enlarge

...as you can see, the Worm tries to fool you into thinking someone really is on the other end by sending you what looks like fragments of a continuing conversation, finishing with a supposedly accidental sending of an image you're "not supposed to see".

Got to love that social engineering.

Here's a sample of some of the infection messages sent by the worm:

Click to Enlarge

But why did we call it "bubbles"? Easy, this is what you see when you attempt to open the .scr for the first time:

Click to Enlarge

Apparently, not everyone sees the bubbles when they run this file. I bet they really feel like they're missing out...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Posted by Paperghost at 07:21 AM | Permalink | Comments (1) | TrackBacks (0)

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

Continue reading "IE Used to Launch Instant Messaging and Questionable Clicks" »

Posted by Paperghost at 11:53 AM | Permalink | Comments (9) | TrackBacks (1)

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

Click to Enlarge

Click the link, and you're taken to the below website:

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

Posted by Paperghost at 07:26 AM | Permalink | Comments (5) | TrackBacks (1)

IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Back to the entry and analysis from Paperghost....

The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

From Wikipedia:

(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:

Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

Click to Enlarge

...and this:

Click to Enlarge

During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

Now that's pretty freaky.

Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

Click to Enlarge

Yay, I'm file-sharing pirated content!

As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

Click here to download movie (2.90 MB)

00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

Click image to Enlarge

Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

Click to Enlarge

Click to Enlarge

ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

From CNET:

Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Posted by Paperghost at 02:00 PM | Permalink | Comments (8) | TrackBacks (2)