ISC reader Ng Keng Lim shared with us a malware specimen that poses as Windows Live Messenger. The messenger attempts to steal the victim's Windows Live logon credentials by capturing them, saving them to a local text file, and emailing them to the attacker. It is available as a free download from the author's website.

The most interesting aspect of this specimen is not its functionality per se, but its purpose. As far as I can tell, its main goal is to bring attention to its author's website, probably to generate ad revenue or to use the site for launching browser-based attacks.

When launched, the program presents a standard login screen that users of Windows Live Messenger are accustomed to seeing. When the user attempts to log on, the program writes the credential to a local file. By default, this file is called "pas.txt" and is placed in the root of  the C: drive. Its contents look like this:

www.malwareauthorwebsite.com
Username: victim@example.com
Password: password1
www.malwareauthorwebsite.com

The "www.malwareauthorwebsite.com" website is not the real address--I didn't want to specify it here--but you get the idea. This is just one of the places where the author reminds the victim or the user of the program's origins. When the victim attempts to exit the fake Windows Live Messenger, a browser window pops up, loading the program author's website.

I came across a forum discussion where the participants were warning each other about this malware specimen. The supposed author of the program commented as well, stating that he or she was the creator of this program: "you can come take a look at my site." The comment also included the person's alias, which is probably an attempt to build a reputation for him or herself.

The person's website distributes the program as a free download. The potential attacker can customize it by entering the secret password in the field where the victim would type his or her Windows Live email address. This brings up the screens with the following options to adjust the behavior of the program:


Customization screens allow the attacker to select the name of the file where the passwords are stored, modify the password used to get to the customization screens, select the email address where to send harvested logon credentials, and so on. The options menu is another place where the program's author includes a link to his or her website.

Several versions of the malicious program have been released. The file that represents the current version has the following properties:

Size: 1513472 bytes
MD5 hash: a7a75a56b4b960c8532c37d3c705f88f
SHA1 hash: e69d26db431e383131826fab5db213559ee68814

None of the anti-virus vendors I checked currently detect the latest version of program as malicious, although Sophos includes a brief description on its website, calling it Troj/Msnfake-M.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com