19 Mar The end of MSN Messenger, the beginning of attacks Fabio Assolini
27 Nov Cyber predators lurking Roberto Martinez
22 Jun IM worm targeting Brazilian Facebook users Fabio Assolini
05 Jun Financial data stealing Malware now on Amazon Web Services Cloud Dmitry Bestuzhev
25 Jan Malicious ads through ICQ Roel
24 Aug New IM Worm Squirming in Latin America Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Microsoft recently announced the shutdown of its popular IM client MSN Messenger, which will be replaced by Skype, but its end represents the beginning of malicious attacks posing as the installer of the software. Cybercriminals already started to use this fact in their attacks, registering malicious domains, buying sponsored links on search engines, tricking users to download and install a malware masquerade as the MSN installer.
MSN Messenger is still very popular in several countries; Microsoft informed that the service has more than 100 million users worldwide, approximately 30.5 million of them in Brazil. As an escalated migration of all users is planned, it's getting harder to find the installer of the program and this is the window of opportunity exploited by Brazilian cybercriminals aiming to infect users looking for the software.
In a simple search on Google for "MSN messenger" the first result displayed is sponsored link of a malicious domain aiming to distribute the fake installer, which is actually a Trojan banker:
They’re stalking, taking advantage of the anonymity offered by the Internet and using the most advanced techniques to deceive their victims. They pose a persistent threat. They are often very patient and have sometimes communicated with their victims over a number of days, weeks, months and sometimes for over a year before they finally arrange to meet with the young person. They are a new breed of predators.
There’s nothing new in Brazilian cybercriminals exploiting social networks to distribute their malicious code. Orkut was first, followed by Twitter, and now it’s Facebook’s turn.
Facebook is becoming increasingly popular in Brazil and we are witnessing more and more Brazilian bad guys switching their focus to it. We received some proof this weekend: a Brazilian instant message (IM) worm created to steal Facebook passwords and login, and use the infected profile to spread malicious links among Portuguese speakers.
The worm (md5 d8dd66f2ec659687c56feb31ae1ac692) is distributed in a drive-by-download attack. After infecting the user’s machine a malicious applet downloads lots of different files, including the IM worm responsible for stealing users’ Facebook passwords. The worm is designed to connect to the victim profile via the web service Ebuddy.com or via the mobile version of Facebook, and capable of posting the content of the file fb.txt:
Over the last few days, we received numerous reports of computers infected with fake anti-virus (scareware). The name of this particular culprit is Antivirus 8.
The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.
I installed ICQ and noticed the following after letting it run for a couple of minutes to fetch ads:
This page is hosted on [snip]charlotterusse.eu.
Going by the added iframe, it looks like this store's ad server was hacked, right? Not quite. I did some digging around and found that none of these servers - other than charlotterusse.com - are actually related to this brand of clothing.
This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.
However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn't them who's responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.
This is another example of how trusted programs can be a used to attack computers. It goes to show that anti-malware protection is needed no matter what the circumstance.
We've sent a notification to yieldmanager, who is the ad distributor in this case. We've not heard back from them at the time of writing.
It seems like the criminals behind the worm are now at the first stage of the crime -- infecting as many machines as they can to have “a good” offers after to another criminals: pay per install, spam and others.