Worms: September 2006 Archives

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

http://blog.spywareguide.com/upload/2006/09/fantvcard4-thumb.jpg
Click to Enlarge

Click the link, and you're taken to the below website:


http://blog.spywareguide.com/upload/2006/09/fantvcard1-thumb.jpg

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

http://blog.spywareguide.com/upload/2006/09/fantvcard3-thumb.jpg
Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

About this Archive

This page is a archive of entries in the Worms category from September 2006.

Worms: June 2006 is the previous archive.

Worms: October 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.