Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.

MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.

In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:

They’re stalking, taking advantage of the anonymity offered by the Internet and using the most advanced techniques to deceive their victims. They pose a persistent threat. They are often very patient and have sometimes communicated with their victims over a number of days, weeks, months and sometimes for over a year before they finally arrange to meet with the young person. They are a new breed of predators.

There’s nothing new in Brazilian cybercriminals exploiting social networks to distribute their malicious code. Orkut was first, followed by Twitter, and now it’s Facebook’s turn.

Facebook is becoming increasingly popular in Brazil and we are witnessing more and more Brazilian bad guys switching their focus to it. We received some proof this weekend: a Brazilian instant message (IM) worm created to steal Facebook passwords and login, and use the infected profile to spread malicious links among Portuguese speakers.

The worm (md5 d8dd66f2ec659687c56feb31ae1ac692) is distributed in a drive-by-download attack. After infecting the user’s machine a malicious applet downloads lots of different files, including the IM worm responsible for stealing users’ Facebook passwords. The worm is designed to connect to the victim profile via the web service Ebuddy.com or via the mobile version of Facebook, and capable of posting the content of the file fb.txt:

    There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

Over the last few days, we received numerous reports of computers infected with fake anti-virus (scareware). The name of this particular culprit is Antivirus 8.

The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.

I installed ICQ and noticed the following after letting it run for a couple of minutes to fetch ads:

This page is hosted on [snip]charlotterusse.eu.

Going by the added iframe, it looks like this store's ad server was hacked, right? Not quite. I did some digging around and found that none of these servers - other than charlotterusse.com - are actually related to this brand of clothing.

This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.

However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn't them who's responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.

This is another example of how trusted programs can be a used to attack computers. It goes to show that anti-malware protection is needed no matter what the circumstance.

We've sent a notification to yieldmanager, who is the ad distributor in this case. We've not heard back from them at the time of writing.

    Whenever we discuss the most active malware-producing countries, Russia, China and Brazil are always atop the list.  But there’s a new country that’s starting to appear in the top five: Mexico

In our monthly Latin America malware analysis published on Viruslist and Threatpost (both in Spanish), we already mentioned that Mexico is known for producing local botnets.

On Aug 21, we (Kaspersky Lab) detected a new instant messenger worm that spreads through almost all well-known IM programs, including Skype, GTalk, Yahoo Messenger and Live MSN Messenger. The name of the threat is “IM-Worm.Win32.Zeroll.a”

It “speaks” 13 different languages (including Spanish and Portuguese) according to the local language of the infected Windows computer.  There are some characteristics that show the worm originated Mexico. It is written in VB and the C&C is located on an IRC channel (an old botnet technique recycled by the Mexican coders).

Our statistics based on the KSN data show the biggest infections were registered in Mexico and Brazil.

It seems like the criminals behind the worm are now at the first stage of the crime -- infecting as many machines as they can to have “a good” offers after to another criminals: pay per install, spam and others.

It’s worth mentioning that only three anti-virus programs (including Kaspersky) detect the threat.

Late on Monday, a lot of Russian ICQ users got sent this message:

If you've been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you're going to try and check in some way whether it's really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone's come across CAPTCHAs, a reverse Turing test. Of course, if you're on ICQ, you're not going to use an image to check who's on the other side of the screen, but you can ask a challenge question – after all, a computer can't actually answer questions, can it?

Last week there was a lot of speculation going round that Paris Hilton has changed her sexual orientation. A couple of years ago when she was making the news, IM-Worm authors played on this. With these latest rumours – I am an AV researcher after all - I immediately thought that the bad guys would find some way to use these rumours. Unsurprisingly, this prediction turned out to be true. Over the last couple of days we've seen spam being sent out which contains a link in it claiming to be a Paris Hilton video.

The social engineering is obvious – although it's amusing that the video title mentions men rather than women. Putting this aside, it's rather an odd case from a technical point of view.

The URL leads to a simple Trojan-Downloader which is packed using FSG. It doesn't have any anti-AV functionality. In turn the Downloader downloads two files, one for harvesting email addresses from the victim machine and one for sending out spam. One of those is stuffed with anti-AV techniques.

Of course, using Trojan-Downloaders is extremely common these days. What's strange is the combination of such a simple Trojan-Downloader which downloads highly sophisticated malware.

And given that the Trojan-Downloader will be heuristically detected by quite a number of virus scanners, including ours, the chances of actually getting infected are slim. This leaves me wondering if this unusual combination was created by the authors by accident, or by some strange design.

We regularly see Trojans being sent via IM. There's a whole range of approaches used, from standard messages saying 'Hey, take a look at my photos' or links which purportedly lead to useful utilities, to social engineering which plays on people's fears:

[Translation: Look what's been written about you here]

Of course, the pages linked to are stuffed with exploits which are used to turn the victim machine into a malware menagerie.

There's nothing new in these mailings. But today we got another example of a mailing that's been going on for the last three weeks or so – every day, millions of ICQ users are being sent the following message:

Although the link does change, sometimes the same link gets sent twice in one day – it depends how quickly antivirus companies react to the latest malware that's placed on the link. If the user is incautious or uninformed enough to click on the link, his or her machine ends up infected with a variant of the ever popular Trojan-PSW.Win32.LdPinch.

We took a look at all the different variants that have been downloaded, and discovered that:

1. An old version of Pinch is being used, and this version is freely available – for each wave of mailings, the malware simply gets packed with different packers.
   
2. To start with, Pinch sent its log files off using public SMTP servers, but then moved to using a script gate on a free hosting site.
   
3. The recipient's email is the same in all cases.

Pinch is a true omnivore – it grabs just about everything it can from the victim machine: the Windows license number, system information, a list of programs installed, as well as ICQ, email and FTP passwords, and passwords saved to Windows Protected Storage.

On the most productive days, the person behind the mass mailings managed to collect up to a hundred logs. And his e-store has a whole bunch of ICQ numbers for sale, presumably stolen from victim machines. He's clearly out to make money – given that malware writers have made the shift from simple disruption to clearly criminal activity, that's no surprise. However, what he maybe doesn't realize is that a careful analysis of Pinch leads to a wealth of information about the author - name, date of birth, town, mobile number and various other personal data.

Good news for those fighting cyber crime, but not so great for those involved in illegal activity.