DIY Fake MSN Client Stealing Passwords

Thursday, January 17, 2008

DIY Fake MSN Client Stealing Passwords

This tool deserves our attention mostly because of its do-it-yourself (DIY) nature, just like the many other related ones I discussed before. Custom error messages, two options for to kill or restore MSN after the password is obtained, and custom FTP settings to upload the accounting data. Why did they choose FTP compared to email as the leak point for the data? From my perspective uploading the accounting data on an FTP server means compatibility from the perspective of easily obtaining the accounting data to be used as foundation for another MSN spreading malware or spim, compared to accessing it from an email account.

File size: 888832 bytes
MD5: 02b0d887aa1cbfd4f602de83f79cf571
SHA1: da49527e96bb998b3763c1d45db97a4d3bccea7a

A sample is detected as W32/VB-Remote-TClient-based!Maximus.

In related news, MSN is said to be the most targeted IM client :

"Within the IM category, 19 percent of threats were reported on the AOL Instant Messenger network, 45 percent on MSN Messenger, 20 percent on Yahoo! Instant Messenger and 15 percent on all other IM networks including Jabber-based IM private networks. Attacks on these private networks have more than doubled in share since 2003, rising from seven percent of all IM attacks to 15 percent in 2007."

As always, it's a matter of a vendor's sensors network to come up with increasing or decreasing levels of a particular threat, but the pragmatic reality nowadays has to do with less IM spreading malware, and much, much more malware embedded trusted web sites.

Moreover, according to some publicly obtainable stats, IM spreading malware in general has been declining for the past two years, but how come? It's because of their broken and bit outdated social engineering model, namely the lack of messages localization, abuse of public events as windows of opportunities, and the lack of any kind of segmentation. One-to-many may be logical from an efficiency point of view, but it's like embedding a single exploit on hundreds of thousands of sites compared to a set of exploits, or a set of techniques like in this case.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Thursday, January 17, 2008

DIY Fake MSN Client Stealing Passwords

No comments:

Post a Comment