ISC reader Ng Keng Lim shared with us a malware specimen that poses as Windows Live Messenger. The messenger attempts to steal the victim's Windows Live logon credentials by capturing them, saving them to a local text file, and emailing them to the attacker. It is available as a free download from the author's website.
www.malwareauthorwebsite.comThe "www.malwareauthorwebsite.com" website is not the real address--I didn't want to specify it here--but you get the idea. This is just one of the places where the author reminds the victim or the user of the program's origins. When the victim attempts to exit the fake Windows Live Messenger, a browser window pops up, loading the program author's website.
I came across a forum discussion where the participants were warning each other about this malware specimen. The supposed author of the program commented as well, stating that he or she was the creator of this program: "you can come take a look at my site." The comment also included the person's alias, which is probably an attempt to build a reputation for him or herself.
The person's website distributes the program as a free download. The potential attacker can customize it by entering the secret password in the field where the victim would type his or her Windows Live email address. This brings up the screens with the following options to adjust the behavior of the program:
Customization screens allow the attacker to select the name of the file where the passwords are stored, modify the password used to get to the customization screens, select the email address where to send harvested logon credentials, and so on. The options menu is another place where the program's author includes a link to his or her website.
Several versions of the malicious program have been released. The file that represents the current version has the following properties:
Size: 1513472 bytesNone of the anti-virus vendors I checked currently detect the latest version of program as malicious, although Sophos includes a brief description on its website, calling it Troj/Msnfake-M.
InfoSec Practice Leader
Gemini Systems, LLC
Jan 26th 2007
Jan 26th 2007
1 decade ago