Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Saturday, July 30, 2005

Aurora Adware bundle hits Instant Messaging

The thing about timed explosives is, you're never quite sure when they're going to go off. And in this case, something that was posted on my forum some weeks ago has waited silently, unwilling to co-operate. That is, until a few days ago. Wayne Porter has often said (and I agree) that Greynets are the future of Malware (and other Ware) installs. Most of the "big" stories I've covered have involved some pretty zany techniques to get things onto your system. And Aurora has managed to find itself installed in everything from Bittorrent media bundles to multi-webpage EULA funfests. In fact, I'm convinced if you looked in my underpants right now, Aurora would be down there too.

Omnipresent doesn't come into it.

But yet again, I am forced to look in slack-jawed amazement at the - er - ingenuity?...of the Aurora affiliates so desperate to get it onto your PC that they really will stoop to any means necessary to make their dough. Come with me, into the new Adware-bundle battlefield....Instant Messaging.

Flashback...

Because every great story needs a lead-in, right? A long time ago (but not in a galaxy far, far away) there was IRC. IRC was a wonderful thing. Full of people saying R0xor(z)((!!112)). Then those crazy crapware installers thought it was better used as a jump off for Trojans, Bots and Malware. Some of these things are pulsating beacons of infective rage and woe betide the hapless user that stumbles into a rogue channel and / or network unprepared. Well....

Take one common or garden IRC Trojan - in this case, W32/Sdbot-AAH. Its usual weapon of choice is called Poker3.exe. This can do lots of things, like remotely install new code, steal passwords, all kinds of lovely things. Modify it (apparently), and then while that's coming to the boil...

Study some Instant Messaging virus techniques. One of the most popular is throwing out a link to the end-user that then (typically) whacks them with a virus, directs them to a rogue IRC channel or something equally malicious. How about Prex.AM, that spreads via MSN Messenger? Yeah, that'll do nicely! Do you take credit cards? Because I have no shortage of details I can use!

This new infection seems to use a combination of the above two exploits. And it looks like the poker3.exe has been modified, because when hit with the original install, you most definitely do not get whacked with a super-fun Adware bundle. More your common or garden Trojan / Virus / IRC "thing".

Back to the hunt - I didn't see much on the internet about this latest threat. Then a few HJT logs started appearing on various forums. These logs followed the same pattern as the one posted on my forum. Check this out - a random selection of some I've found these past few weeks...

HJT Log1, HJT Log2, HJT Log3, HJT Log4, HJT Log5, HJT Log6, HJT Log7, HJT Log8

Note how many mention MSN Messenger as the source of the install, and how the programs installed in each case are almost identical. Also, note how many mention something called MC-58-12-0000080.exe (just to confuse things further, which is supposed to be a component of Shorty). A handful of confused pleas for assistance on Brazilian(?) websites were also appearing (yes, I've been busy with translators too). Even there, they were still mentioning MSN Messenger as the vector of attack...

...and at that point, I realised why Poker3.exe wasn't doing very much by just double-clicking it (which is what you had to do in this case, as you would have to agree to download Poker3.exe from the infection website then run it before anything would happen. Hopefully this may help keep infection rates down, though they will surely refine the install). I fired up MSN messenger on two PCs - ran the executable on one, then waited.

And waited.

And waited.......

These random installer things are great, aren't they? Anyway, check out the screenshot. In it, one of a number of funky phrases pop up in the victim's chatbox. At this point, there is no difference between this and the bog-standard Prex.AM infection. MSN - check. Funky virus thing - check. Crazy clickable link - check. End-user who's really going to have wished they didn't click random links anymore.....check.

You can see where this is going, can't you?

Of course you can. Clicking the link suddenly makes the usual install for this thing take a turn for the worse. Before you can say "hosed", the PC opens up multiple installers and is hit with a rather large bundle. Aurora / Ceres, 180 Solutions Search Assistant, Elite Toolbar, Bullseye Network and a lovely selection of diallers for good measure.

The site that hosted this thing has suddenly been pulled, and it looks like the guys behind it have (to coin a phrase) done a runner. Can't say I blame them, really. It's quite difficult explaining yourself when an angry mob has already dropped you on your head from the top of a twelve story building. But the exploit is now out there, somewhere, and I guarantee there will be more examples of this down the line.

And what I'm asking you wonderful people to do is send me any and all examples of this out in the wild. UKBiker from Geekstogo.com has already pointed me in the direction of the same exploit working in AIM. If you see this thing, if you know someone who has been hit by it, if someone ran into your garden and screamed a URL at you for no apparent reason - let me know.

And no peeking at my underpants, either.

Labels: ,

posted by paperghost at 4:11 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.