Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Thursday, August 11, 2005

The creators of the IM bundles discovered...

When a roadblock is met, what happens to the story? Where does it go, when the leads have dried up and there's nothing more to say? What do I do when I've promised you another chapter, some kind of payoff to the twisting, turning story at hand - but there's nothing more to be seen? Do I just stop writing about it, and pretend it never happened? Hope something may just turn up somewhere in the future? Watch as the wheels come off, the momentum dries up and everyone goes home more entertained by the support act?

Nope - I get out there, take some names and BUST SOME HEADS.

So come with me, as I raise the bar then gun it down, the group responsible for the IM installers caught red-handed and trailing in my wake. Angry words, incriminating screenshots and punks nailed to the floor is the order of the day.

And that's just the start. It's time to rock...

Ye olden days: AIMFACE installers, with a huge payload.

The missing link: Well, it's missing, isn't it?

Ye present day: Current modified MSN virus, with reduced payload.

Can you see what's missing? (quick clue, it's not the first or last one!)

Something, somewhere, was missing in action and would not raise its ugly little head. But it is a fact nations will rise, empires will fall and I will find the next link in the daisy chain. And so it came to be, that I stumbled across something called the Funny virus (which, I assure you, isn't funny at all).

From there, we reach the mysterious Funneh.exe, and the wonderful Jay Loden, creator of AIMFix. Not only is he another malware buttkicker, he used his kung-fu skills to ensure that anyone caught running Funneh.exe would be safely redirected to his website. Which is awesome, but not good for me when trying to see what is down the rabbit hole.

The thing about us malware kickers is....we're just so damn helpful to each other!

A short while later, and I'm about to run the infectious version on my testbox, courtesy of Jay. I am, of course, getting ahead of myself. You want to see the site this baby comes from, don't you? Well, here it is...

Yeah, milk it baby! Quite possibly the most surreal installer site ever (click to enlarge). But that's not where it ends. Remember the early installers? Bear in mind that I'm looking to join the dots, make connections and look for things that cannot possibly be down to chance. Those files all made calls to what apeared to be personal Comcast pages, which in turn launched .EXE's that popped open messenger programs. Well, by a stroke of luck Jay discovered that the people behind Funneh.exe were operating off compromised servers, using - you guessed it - Comcast sites. So there's coincidence number one. Number two - Jay was handed a pile of files that these guys were storing up, and I have to say it's quite a catch. Every kind of malicious file you could think of is in this trove of badness. Now, getting back to the original Funneh.exe, I ran it and...

Nothing. Not a damn thing. Didn't call out to any installs, didn't cripple the PC...nothing. The packet logger remained silent and, for one horrible moment, it looked like the story ended right there in a blaze of disappointment.

But no!

While examining the garbage, I found something that immediately caught my attention - and it was indeed coincidence number two, and my very own personal magic bullet.

A while back, people were talking about this thing - a "fake" SP2 information bar. Wouldn't you just know it, if a custom-built .HTML page was sitting in one of the leet haxor's folders (click to enlarge). I opened it up, and (sure enough), I was presented with an IST Java applet (no EULAs, of course). And what happens if you click yes? I'm sure you can imagine - almost exactly the same bundle of Adware hits the PC as is launched from the other IM installers (with near-identical logfiles generated from the snoop tools). But even that wasn't good enough. I wanted something more. Something definite. Something so bulletproof and utterly stupid (say, a totally unexpected website popping up) that the chances of it being a coincidence would be about as likely as Elvis returning from Mars and doing the 68 comeback tour all over again.

So crank up your speakers and get into your white jumpsuit, because here (in flash-animated glory) is the tie that binds this script-kiddie group to practically all of the IM bundles doing the rounds at the moment. Remember something completely nuts that was in the Career12 bundle? No?

You do now.

The punks behind this are lame script-kiddies with a thirst for affiliate cash, and they will hopefully be sharing a cell with Big Bubba sometime soon. Yes, the feds are onto it and I doubt running that disk eraser will save their behinds from some serious jail time.

So all's well that ends well. Or is it?

AFTERMATH

The threat is still out there, and this won't prevent someone from coming up with similar scams in the future. There are a stack of other Comcast sites still hosting horribly nasty files, ready to whack a PC for all it's worth. And what of the companies whose software was involved in this farce? Why have they not answered Wayne Porter's call? Why do they send me emails asking for information, only to fall silent?

No matter. You'll be seeing more on this in the current weeks to come - here, on Spywareguide and also on ReveNews. The people behind the files may have been rumbled, but now it's time to turn our attention to the Adware guys.

I want answers.

posted by paperghost at 8:05 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.