In the morning today I noticed that I got around 10 new friend requests on MySpace. All of them were spam accounts and all but 2 have been deleted since then. Since I’m running Linux I decided to check out what the spammers have in store for me and I clicked on some of these accounts. I don’t think any of the mallware distributed via MySpace would actually affect a non-windows machine.
All of thes accounts used an absolutely positioned div to block out the actual content and display the following text in the middle of the page:
This profile contains adult content.
CLICK HERE to install MS Viewer.
When you click on the link different things happen. Firs account made me download the following file:
MSpaceContentInstall.exe (md5: 81ec383d21a753df6b5e54ef48aea437)
I ran strings on the binary and got some interesting results. Following DLL’s are listed by name in the file:
Whatever that thing is, it is messing with the kernel and bunch of integral system libraries and that can’t be good. I ran a virus scan on it, but stupid clamav decided the file was clean. So did Kaspersky online file scanner. On the other hand the Virus.org file scanner (which ran the file through assortment of different engines) gave me much more interesting output:
SHA-1 Digest: 3a954d79eafe7c0a53bf0ff456218edef23eda96
Status: Infected or Malware
AVG Anti Virus Clean
CAT QuickHeal Clean
Dr. Web Clean
H+BEDV AntiVir DR/Zlob.Gen
Ikarus PSCAN Clean
NOD32 Win32/TrojanDownloader.Zlob.ARX trojan
Norman Control Zlob.ACUZ
Sophos Sweep Clean
Trend Micro Clean
VirusBuster 05 Clean
Only 5 out of 18 AV tools labeled that file as the Zlob Trojan. I had a similar result when using Jotti Online Scanner as well: 4 our of 15 engines labeled it as malicious. It’s surprising how the popular and well respected scanners out there (McAfee, AVG, Avast, TrendMicro, ClamAV) failed to detect anything, while more obscure ones did. I never even heard of H+BEDV AntiVir or Norman Virus Control. :P
The other page linked from one of those profiles was even more interesting:
It’s an automated CAPTCHA solver using human input. It is much more efficient than fucking around with OCR. Instead of wasting CPU cycles running complex feature extraction algorithms, you can just use the hordes of horny idiots who want to see some MySpace n00dz. I knew these things existed but this is the first time I actually saw one of them in action. Very interesting setup.
If you look closely at the image the screenshot, you will see that it actually comes from MySpace registration form. Ot at least that’s what it looks like. So the codes that you inptut at the prompt are used to create new accounts that could be used for more spamming. It’s quite brilliant actually – you set it up once, and given enough traffic this thing could run forever. Deleting these accounts won’t help – since you will most likely get 3-4 new accounts from each “hit” (ie. an average dumbass who falls for this scam will likely try to type in the CAPTCHA 3-4 times before he gets bored, or realizes he is being fucked with).
Note how Facebook does not have this problem. This is the difference between good design, and an ugly hack from hell.
[tags]myspace, myspace spam, myspace mallware, MSpaceContentInstall.exe, captcha, zlob, trojan[/tags]