Using Myspace For Evil

In the morning today I noticed that I got around 10 new friend requests on MySpace. All of them were spam accounts and all but 2 have been deleted since then. Since I’m running Linux I decided to check out what the spammers have in store for me and I clicked on some of these accounts. I don’t think any of the mallware distributed via MySpace would actually affect a non-windows machine.

All of thes accounts used an absolutely positioned div to block out the actual content and display the following text in the middle of the page:

This profile contains adult content.
CLICK HERE to install MS Viewer.

When you click on the link different things happen. Firs account made me download the following file:

MSpaceContentInstall.exe (md5: 81ec383d21a753df6b5e54ef48aea437)

I ran strings on the binary and got some interesting results. Following DLL’s are listed by name in the file:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll

Whatever that thing is, it is messing with the kernel and bunch of integral system libraries and that can’t be good. I ran a virus scan on it, but stupid clamav decided the file was clean. So did Kaspersky online file scanner. On the other hand the Virus.org file scanner (which ran the file through assortment of different engines) gave me much more interesting output:

File: MSpaceContentInstall.exe
SHA-1 Digest: 3a954d79eafe7c0a53bf0ff456218edef23eda96
Packers: Unknown
Status: Infected or Malware
--
ArcaVir Clean
avast! Clean
AVG Anti Virus Clean
BitDefender Generic.Zlob.70EF425F
CAT QuickHeal Clean
ClamAV Clean
Dr. Web Clean
F-PROT Clean
H+BEDV AntiVir DR/Zlob.Gen
Ikarus PSCAN Clean
McAfee Clean
NOD32 Win32/TrojanDownloader.Zlob.ARX trojan
Norman Control Zlob.ACUZ
Panda Clean
Sophos Sweep Clean
Trend Micro Clean
VBA32 MalwareScope.Downloader.Zlob.1
VirusBuster 05 Clean

Only 5 out of 18 AV tools labeled that file as the Zlob Trojan. I had a similar result when using Jotti Online Scanner as well: 4 our of 15 engines labeled it as malicious. It’s surprising how the popular and well respected scanners out there (McAfee, AVG, Avast, TrendMicro, ClamAV) failed to detect anything, while more obscure ones did. I never even heard of H+BEDV AntiVir or Norman Virus Control. :P

The other page linked from one of those profiles was even more interesting:

CAPTCHA Killer

It’s an automated CAPTCHA solver using human input. It is much more efficient than fucking around with OCR. Instead of wasting CPU cycles running complex feature extraction algorithms, you can just use the hordes of horny idiots who want to see some MySpace n00dz. I knew these things existed but this is the first time I actually saw one of them in action. Very interesting setup.

If you look closely at the image the screenshot, you will see that it actually comes from MySpace registration form. Ot at least that’s what it looks like. So the codes that you inptut at the prompt are used to create new accounts that could be used for more spamming. It’s quite brilliant actually – you set it up once, and given enough traffic this thing could run forever. Deleting these accounts won’t help – since you will most likely get 3-4 new accounts from each “hit” (ie. an average dumbass who falls for this scam will likely try to type in the CAPTCHA 3-4 times before he gets bored, or realizes he is being fucked with).

This is a serious design flaw. When you alow your users to inject HTML and CSS into your page, you are asking for trouble. Stripping javascript, iframes and such will not help because these guys are not using any. They are using the standard mundane tricks that everyone else abuses to “beautify” their profiles.

Note how Facebook does not have this problem. This is the difference between good design, and an ugly hack from hell.

[tags]myspace, myspace spam, myspace mallware, MSpaceContentInstall.exe, captcha, zlob, trojan[/tags]

This entry was posted in technology and tagged , . Bookmark the permalink.



18 Responses to Using Myspace For Evil

  1. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Yeah I get a lot of those friends request too, I suppose it’s all a part of the myspace experience. By the way my friend there, LoLo has a interesting Blog on this form of myspace evil, see his blog MySpace Plugins: The lamest attempt at spreading a payload of evilness ever. Actually LoLo is good for his blogs trying to educate the Simple minded on the myspace scams and other stupid shit there.

    it’s interesting that several well respected AVs failed to catch this trojan, after all i recommend AVG as well as Avast to basicly everyone. However I already noticed many AVs fail to catch alot of trojans, after all a trojan is not precisely a Virus. Of course most AVs claim to also catch trojans but you certainly proved they are not too reliable at that. haha.

    Perhaps a program designed specifically for trojans would be better??

    but ya got to admit both of these examples are clearly successful scams, ya know. haha!!

    Reply  |  Quote
  2. Luke UNITED STATES Mozilla Firefox Windows says:

    I think this is a somewhat improved version of the same scam that LoLo talked about.

    Hey, speaking of AV – do you also have an issue with ClamAv on Ubuntu?

    When I run freshclam I get a warning message telling me that my ClamAv installation is out of date.

    Apt on the other hand tells me that the package is up-to-date. In other words, the ClamAv version in repositories < current ClamAv release. This is stupid!

    I tried pulling it from debian repositories but I there are dependency conflicts. It seems that the deb binary was compiled against a subset set of libraries that is not shared by Ubuntu. :(

    Reply  |  Quote
  3. skaterguy UNITED STATES Internet Explorer Windows says:

    that was a very very entertaining read..

    Reply  |  Quote
  4. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Sorry I installed Avast! antivirus instead of ClamAv. I’ve been using Avast in windows and decide to try their Linux version for a while. Might change it later. I did try to install ClamAv initially but had some kind of problems. I think I also got it from the debian repositories since what was in the standard Ubuntu packages seemed out of date to me for some reason. Sorry I forgot the details I’ve been installing alot of software and occasionally removing some of it if I don’t like it or it wasn’t exactly what I was looking for. Being somewhat new to all of this I haven’t always known exactly what i was doing either and ran into a few dependency problems and the like. Most of it worked like a charm tho, and I definitely Love this OS and it feels like I have a new machine. haha

    Reply  |  Quote
  5. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    So how is Avast working on linux? Any good?

    I think my version of ClamAv was just there – it might have been on the system out of the box. I just don’t remember installing it, but it’s possible that I did it long time ago.

    Reply  |  Quote
  6. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Avast seems to be working ok. It is an on-demand kind of thing and much more primitive than the windows version. They need to work on it, but at least they have a linux version. As far as I can can tell it does not provide a service for integrated e-mail scans, as apparently ClamAv does.

    My main grip with Avast aside from the e-mail scan thing is a problem it has with fonts. I changed my desktop theme and the font size for applications. I made that font size as small as possible, I have a wide screen monitor and more resolution than i need. All the apps i regularly use looked fine to me except for Avast and it was completely unreadable. I actually thought something was wrong with avast because i noticed the problem several days after i changed the font size. But it eventually dawned on me to increase the font size as the program was working just look like shit and ya couldn’t read the menus and messages and stuff. Latter I looked around some forums and others have had the same problem.

    Thinking about it now I suppose one could use ClamAvs daemon to scan incoming mail along with Avast. Hmm, goes against what i tell people in Windows: Not to run several AVs at the same time. Tho that advice is really for AVs which run in the background, as I also keep a F-Prot for DOS around on some of my machines. I actually run it now and then too for the hell of it. Tho if I do that run the clamav-daemon I may as well just use ClamAv.

    Anyway I think you are right on ClamAv 0.88 being included with Ubuntu, I remember removing now. I did however try to install it from the debian packages ClamAv 0.90 because i also like to use the most current version of a program, sometimes it pays to as bugs are worked out and then again sometimes its a bad idea as new bugs are introduced. lol But anyway I had some kind of problem and give up on it. Put it on my list of shit to figure out latter as I had other things I needed to do then.

    But honestly its been over 4 years since I had a virus on any of my machines and those were windows machines. I usually don’t worry about it as i seldom do anything dangerous enough to get infected. In linux it seems I have even less to worry about :)

    Reply  |  Quote
  7. Luke UNITED STATES Mozilla Firefox Ubuntu Linux says:

    I installed BitDefender today. It’s not in the repositories, but the deb package you can download from their website works just fine. Just do:

    wget http://download.bitdefender.com/unices/old/linux/free/bitdefender-cons ole/en/BitDefender-Console-Antivirus-7.1-3.linux-gcc3x.i586.deb
    dpkg -i BitDefender-Console-Antivirus-7.1-3.linux-gcc3x.i586.deb
    bcd --update

    And you have a working virus scan. It detected the Zlob when I did:

    bcd MSpaceContentInstall.exe --arch

    Note – it is also an on-demand scanner.

    Reply  |  Quote
  8. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Thanks for the tip I installed it. For whatever reason the wget statement couldn’t find the file but clicking on it and saving to my HD worked fine. The
    bcd --update must be a typo as it should be bdc --update. Same goes for the bcd MSpaceContentInstall.exe –arch statement. Gotta love Google!! lmao

    Reply  |  Quote
  9. Luke UNITED STATES Mozilla Firefox Windows says:

    Yep bcd should be bdc. Typo.

    The wget statement has a space in the URL somewhere that should not be there – it is there to break the line into two parts. When you copy and paste it you need to take out that space. :)

    Reply  |  Quote
  10. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    Yeah i figure the URL had a line break in it, it seemed to look ok in the terminal tho. And btw I meant to also say I had to do the dpkg thing as a super user, permissions and all ya know. Still getting used to the whole permission super security thing. Used to being the master of my machine. haha. Been thinking of putting a launcher on my desktop that executes gksudo nautilus and calling it God but I know it’s a really idea so I’ve been resisting that temptation.

    Reply  |  Quote
  11. Starhawk UNITED STATES Mozilla Firefox Ubuntu Linux says:

    bad idea i meant!

    Reply  |  Quote
  12. Luke UNITED STATES Mozilla Firefox Windows says:

    Yeah, dpkg must be done as root. Same as apt, and etc. ;)

    I like the separation – keeps me from messing up my machine. I have shortcut on my task bar that launches a root shell for me – it has a different color than the normal terminal. That’s where I do all my root related stuff.

    Reply  |  Quote
  13. doctorpc UNITED STATES Internet Explorer Windows says:

    Nice article, I especially like the links you added to some great tools out there for anti-virus. I’ve been getting hit like crazy with this scam. I’m gonna put a short blog up with a link to this article. Aloha!

    Reply  |  Quote
  14. Luke UNITED STATES Mozilla Firefox Windows says:

    Thanks. :)

    Reply  |  Quote
  15. Randa UNITED STATES Mozilla Firefox Windows says:

    how do you delete mspacecontentinstall.exe. it won’t let me delete it. I tried changing attribute won’t let me do that either. WTF!!!! and Bitdefender keeps recognizing it as a virus that it BLOCKED thank God. But can’t delete it. Please help.

    Reply  |  Quote
  16. Luke UNITED STATES Mozilla Firefox Windows says:

    Randa, I would recommend doing the following. Go to the following sites, print out the removal instructions, and download any relevant software they are asking for:

    1. Spyware Strike Removal
    2. SpyAxe Removal
    3. Zlob Removal

    Reboot into safe mode, and follow the instructions.

    Also see here and here.

    Reply  |  Quote
  17. Pingback: Terminally Incoherent » Blog Archive » How do you deal with comment spam? UNITED STATES WordPress

  18. Ozloblenka LATVIA Opera Windows says:

    Zlob and Virtumonde to me seem creations of one and same team of cyber criminals. I call them “kings of trojans” on the web. Both threats seem to be prone to standard PC security normally found on OEM computers and laptops. With enterprise networks, it might be easier to defeat these trojans thanks to hardware protection, but in home conditions
    they easily break common antivirus suites.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>