Greynets: Instant Messenger Opens Gates to Hidden Spyware
by Chris Boyd, Wayne Porter
BACKGROUND ON GREYNETS
To better understand this analysis it is helpful to understand the concept of Greynets. Greynets are network enabled applications that are installed on an end user's system without permission from IT and are frequently evasive at the network level, using techniques like port agility and encryption to avoid being detected and blocked. Greynets sport a number of network and information security risks including potential vectors for malware, client-side code vulnerabilities, intellectual property loss, identity theft and more. While some greynets, especially IM, have legitimate business uses, others are not so business-friendly. Even legitimate greynet applications can pose serious network and information security risks. It is critical to understand that Greynets are not just IM or P2P applications but can also encompass applications that are typically called "spyware" or "adware". Most technology is neutral, it is how it is used and deployed that helps us determine whether it is harmful or useful to the end user. Thus the world of software must be viewed in shades of grey.
INTRODUCTION TO INSTANT MESSENGER EXPLOIT
A recent and potent Greynet threat has emerged in the form of an Instant Messaging mega-bundle of Adware (another form of a Greynet), which our research team has recorded [Format: .avi || Running Time 4:47 || Size: 28.1 Megabytes] and also captured traffic logs from in an effort to understand the install process better. This bundle (described on VitalSecurity.org minus the nail.exe Aurora infection) relies upon an end-user who is trusting enough to click on the infection link generated by an apparently modified IRC Trojan, Poker3.exe. When the infected end-user then uses an Instant Messaging program such as Microsoft's MSN Messenger or AOL's AIM, this spawns a number of randomly selected messages to the people on that user's contact list, sometimes containing the other user's email address as an enticement, other times merely posting a link like the below:
Sample: http://dima.n0share.com/career.php [Note: URL now inactive]
Upon clicking the sample link (and it should be noted, the example above is now inactive though there are reports of other installer sites in the wild), the user inadvertantly activates an MS-DOS file called "Career12" which remotely calls a number of Greynet Adware programs onto the end-user's PC. At this time, all of the installer pages found have been suffixed with the word "career", which may be a sufficient enough clue for the more seasoned end-user to avoid a major infection.
As the video clearly shows, none of the programs display any form of EULA at any time during the installation process, with one exception at the very end of the silent installations (Fig 1.), the program being WebSearch Toolbar, which takes place after the film has finished). The logs show that the install begins at 23:38:46 PM and continues to add new programs to the bundle until it ends at 01:04:03 AM. Some of the programs included in the bundle are:
Media Gateway, 180 Search Assistant, BullsEye Network, Power Scan, ISTbar, Internet optimizer, SideFind, Shop At Home Select, SurfAccuracy and ISTsvc.
Researcher Note: Without a registry monitor running the end-user would not have been alerted these files were being added to their machine. Thus installs were completely in "stealth mode" without the addition of a 3rd party tool to takenote of such installations.
WEBPAGE CODE or LACK OF WEBPAGE CODE
Typically with malware installations the user is able to track down the offending web based code that caused the problem. However, in this case, there isn't any code from a web page making tracking truly problematic and beyond the ability of most users without sophisticated security backgrounds or advanced experience. As this attack is IM (Instant Messenger) based, the MS-DOS file calls the greynet installers directly, and this network activity can be seen in the traffic logs included in the notepad file. Note how much traffic is generated in the course of the install, with the Ysbweb and SideFind files being installed first:
[23:39:01 937]:[URLViewer]http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
[23:39:08 484]:[URLViewer]http://www.ysbweb.com/ist/softwares/addins/sidefind.exe
...closely followed by Internet Optimizer and 180 Search Assistant...
[23:39:23 234]:[URLViewer]http://cdn.climaxbucks.com/internet-optimizer/br/wsi24/optimize.exe
[23:39:51 937]:[URLViewer]http://installs.180solutions.com/downloads/installers/6.9/180sainstallersilsais1.exe
...and numerous other toolbars, desktop icons and instant messaging software such as IMGiant (Fig 2).
Also, we find a rather puzzling webpage that opens up near the end of the video - www.usimmigrationsupport.org. This is mentioned twice in the logfiles (where something other than the files from the immigration website itself are served up) in two places - at 23:41:17 PM (http://xmlsearch.mygeek.com...) and at 23:42:04 (http://tv.180solutions.com/showme.aspx?keyword=usimmigration+usimmigrationsupport).
NOTE ON SITE USIMMIGRATIONSUPPORT.ORG
At first glance it would appear this is a legitimate government sanctioned site. However, further scrutiny shows this site is an i known to be operated by a commercial entity and thus a profit-oriented website. Please note the disclaimer at the bottom of the website in question.
USIMMIGRATIONSUPPORT.ORG Website Disclaimer: This website is not affiliated with the United States Government. We are an independent non-government organization dedicated to help individuals and their families through the U.S. immigration process. We provide up-to-date immigration information and do-it-yourself immigration packages which may save you up to 80% in legal fees.
PRECAUTIONS FOR USERS
This installation (like many of the other major Greynet bundles) relies upon exploiting end-user's trust and willingness to click blindly on an IM link, unaware of the potential danger of what actions might be behind the link. Though IM is a growing focal point of enterprise security, the majority of users would not think twice about clicking a link they thought their friend had sent them on a program such as MSN Messenger. Sadly, like most dangerous bundles in the wild at this moment in time, the only real defence is common sense and a reluctance to click unknown URLs. Of even greater danger is the ability to deploy remote access keyloggers (spyware) through this medium which can be linked to corporate espionage and identity theft.
FURTHER READING
This variant is currently on FaceTime's IMPact Center, and also contains a more detailed PDF Document.
This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.
Related Articles
Read other articles (back to full list)
|