I have been doing lots of research over the last few months on online social networking sites to prepare for an upcoming talk that I am going to be giving on the latest threats to social networks…in particular MySpace, Facebook and LinkedIn.
Tonight I received new friend request from someone named “Elysabeth” in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:
<%image(20080603-myspace_friendrequest_bad.jpg|400|133|Elysabeth wants to be your friend..really!)%>
Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.
EDIT: I didn’t edit out the MySpace profile URL in the picture so don’t hit up the URL and click on anything if you don’t want to risk being infected!
Notice anything strange…like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file….some nice malware for you to install. Enjoy! (only on a Windows box…. 🙂 ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability…the real owner probably has no clue.
On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.
One more update…Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.
ha, i got an idea, imagine if these bots start grabbing legitimate pics and names from your friends list or profile and have it resend a friend request, if the profile settings are set to private, allot of things can be grabbed by google cache eh?
I sent this MySpace link to Tyler over at the Security Shoggoth…he does a ton of Malware analysis and tore this one apart:
I dl’d the malware and did a quick analysis. Virustotal is a little less than helpful:
http://www.virustotal.com/a…
but I did some rudimentary strings analysis. Its packed with an unmodified UPX so easy to unpack. The following URLs are in it:
DON’T GO TO THESE!
hxxp://mycashloads.com/newuser.php?saff=
hxxp://windows-privacy-protection.com/?aid=
It also looks to be written in VB6 as I found this in it:
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
as well as some VB-related function calls.
There were also a bunch of these types of messages:
Your computer is infected with spyware!
Windows has detected spyware infection on your PC.#CR##CR#It is recommended to u
pdate your antispyware protection to prevent data loss. Click here to download a
nd install the most up-to-date antispyware for you.#CR##CR#Click here for more i
nformation…
Warning:
Your computer is infected with spyware!#CR#Help to protect your computer and rem
ove spyware!#CR##CR#Click here for more information…&
and so on.
If I had to guess, this is a trojan downloader which would trick you into downloading rogue anti-spyware software by putting those "You’ve been infected" messages on your system. IMO (and from the limited stuff I’ve looked at on it) its not specifically bot-related…however, the stuff it downloads might be.