The IM Hackers: Weapons of Choice

by Christopher Boyd

Part 1: Custom HTML Exploits

There is currently a wave of IM adware bundles that have been tracked as far back as October 2004. However, it looks like the group responsible for the current wave of these installers has been traced due to extended research by Christopher Boyd, Wayne Porter and the XBlock team, the FaceTime IMPact center, Roger Karlsson of Kephyr.com and the final piece of the puzzle, Jay Loden, who (by chance) was found by Boyd whilst conducting further research. Loden had in his possession a massive collection of files, photographs, screenshots, chatlogs and more besides, which is currently being used as exhibits A through Z in a potential police investigation.

Therefore, names, geographical locations and other personally identifiable information will not form the basis of these write-ups. The files, however, are fair game. And these articles will look to carry out in-depth studies of particular elements of this hacker group's methods, techniques and (of course) payloads.The file in question that seemingly started all this is something called "Funneh.exe", though the files recovered from the hackers are (in truth) far more interesting in terms of understanding both what they hoped to achieve, and also how Funneh.exe came to be. This time round, we'll be looking at custom HTML exploits...

The rise of Social Engineering as Webcode

Drive by installs are not the force they once were. Alternative methods are now the order of the day, and cheap tricks are employed regularly to fool end-users to click something. A case in point is in the "Hacker treasure trove", found in a recent reveal of a hacker gang found to be pushing IM installers to make money from the Adware programs. The collection includes a number of HTML pages, some custom built, some based on previously existing exploits already in the wild. Let's look at some of these....

1) The phone spam messenger

An interesting piece of code that isn't as clever as you might first imagine. No doubt designed to impress the rest of the teenage gang, this "phone spam" tool (image here) simply leeches off the genuine application located elsewhere. Code:



http://usc.ztango.com/uscwmss is where the "real" messenger service resides, which is operated by Wider Than.

2) CTH.htm

Some pages in the bundle that dont make sense on their own, suddenly fit into place when activated. The CTH.htm page is slightly more advanced in this respect, and here we can see the hacker group flexing their muscles with a simple affiliate popup:



Allow the popup, and you get the ctf popup page with (of course) affiliate links for every URL...clicking one of the links (for example, the "Adult" link) takes you from here : clickthrutraffic.com/scripts/click.php?aff=hybridtf&si=adult to this sequence of redirects, eventually ending up at Mirago. Mirago is a UK-centric search engine.

3) GAMA.htm

This page is devastating, though for all the wrong reasons. When opening up the page, a message is displayed regarding ActiveX, and a click yes to continue box is displayed 3 times. Once it is gone, the CPU usage rockets to 100% and the PC usually dies at this point - note the massive spikes in the CPU usage history. Going back to the source code of the original GAMA page, we can find another page buried in the code - prompt.htm:



Open up prompt.html, and we can see that it attempts to call XXX Toolbar from a flash animation. Here, we can see the group experimenting with different types of installer and realising that a basic "click the link to install" technique will not be enough.

4) LOUD.htm

The source for this page serves up the below:



Which (in turn) presents the user with this popup when using IE. If you decline, you are presented with the same popup four times, and at the same time, a "click yes to continue" box appears repeatedly, bringing the grand total of attempted installs to eight. Viewing the EULA takes you to Blazefind / 180 Solutions, and clicking "Yes" in this case will install:

* 180search Assistant, EULA located at: http://www.180searchassistant.com/eula.aspx
* Internet Optimizer, EULA located at: http://www.internet-optimizer.com/legal/EULA/
* Golden Retriever, EULA located at: http://www.shopathomeselect.com/TermsAndConditions.asp
* WebSearch, EULA located at: http://www.websearch.com/legal/terms.aspx

5) MEH.htm

This page exploits two methods of install - the first, a Java popup from IST that will install a barrage of advertising software onto the end-user's PC. If the user declines but clicks the fake XPSP2 "information bar" at the top of the screen and accepts the install, they will be hit with the same payload. The fake information bar is created using a CSS (Cascading StyleSheet) trick which was covered some time ago both here and here. For more information on the way the Java install works, check out the "Anatomy of a Drive-By Install" link in Related Articles at the end of this writeup.

The payload delivered from the above is almost identical to the installs covered on both Vitalsecurity.org and Spywareguide.com. Here, we can chart the development of a series of techniques leading up to a massive payload. So we now have a place to begin our investigation into the genesis of Funneh.exe, and can see that the hacker group got to a certain level, then realised a webpage install wouldn't be enough. They would need something more.

But where does the transition from fake information bar to using IM as the launchpad for these installs come from? How did this particular group of script kiddies make the leap from standard webpage install, to combining Adware bundles with new variants of IM virus techniques? The answer will be revealed in Part 2...

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Related Articles

• Greynets: Instant Messenger Opens Gates to Hidden Spyware
• Anatomy of a Drive-By Install- Even on Firefox
• The IM Hackers: How They Did It

Read other articles (back to full list)