Sunday, December 28, 2008

The MSN "Not A Phishing Worm"

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:
This is how real girls party. Great high quality pictures on
http://jusmineza.PartyPicturez.info
Now of course i understood that it's a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:



















With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN's terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

OK, they said in the text:
This is not a "phishing" site that attempts to "trick" you into revealing personal information.
So they don't want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:
1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.
Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.
By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
.....
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED
Yeah why not, take my account and send spam "on behalf of third parties" and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".
It is also a little wiered that a "legal" domain called "partypicturez.info" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!
Ofcourse they used the domain protection:
Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard
Well, don't fill any form you see without reading the small (and in this case GREY) prints :)

Update:
The same worm also sends this message:

"[msn_dst_user], claim your Prize!
http://[msn_src_user].win-win-it.com/winner.php"

And

congratulations [msn_dst_user]!!!
http://[msn_src_user].accept-your-gift.com/winner.php

And

merry XMAS heres your gift
http://[msn_src_user].specialofferforyou.info/gift.php

And

[msn_dst_user], claim your Xmas Card!
http://[msn_src_user].greeting-cardss.com/xmas.php

And

http://freegiftznow.com/xmas.php
And
[msn_dst_user], see the pics from yesterday's christmas party what do u think?
http://[msn_src_user].yourimagez.com/xmas.php
The messages are updated by the hour, these ones are specific for xmas.
Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:
http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

"Download DesktopSmiley to get 1000's of FREE Smileys!
It's totally FREE! No Registration. No Spyware."

Yes, a toolbar advertised by a WORM is not spyware, sure...
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]
Which prompts a download for "IMG455.jpg-www.photo.com" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.
Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down...)
Which loads " http://new.upicx.com/indexx.php" and " http://new.upicx.com/pop.php" and VERIFYS the request's REFERER is " http://new.upicx.com/" so direct reference to these files returns "404 Not Found".
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)