MSN is not the only IM threat

You sure have read on the Internet that MSN Messenger nowadays brings severals IT risks when it is being used (even if forbidden) in a professional environment. A lot of articles deal with virus threat that could reach your information system through MSN.

A few leading companies in proxy filtering, such as BlueCoat, also implemented solutions to filter IM talks (keywords), documents being transferred, infected objects, and even block outgoing communications on demand (while they may be allowed locally).

It is certainly true to say that MSN Messenger is the most well known IM software at the moment, at least in Europa and in the USA. But it is not the only one. ICQ is older than MSN, but still works and above all, is still being used, for example in Est Europa.

This story is about what happened to the ICQ account I kept to watch the threats spreading it could be part of.


I recently logged on again with this ICQ account. At night, I received a message from a Russian contact I had.  The message was not readable (see screen shot: http://accel6.mettre-put-idata.over-blog.com/2/09/43/04/Captures/VX/vkontakte/ICQ_vkontakte_tr.im_imerto_180609.png) while it usually works well enough to talk (thanks to ASCII characters).
This message also contained a link to a website. Because I was using a hardened linux platform, I tried the trap. The link opened my brother, and automatically redirected me to a blank web page, but with an automatic file download.
Let's say first that ClamAV was enabled as a filtering layer of my local proxy HAVP, but did not detect anything.

So there was that exefile on my desktop,”imert.exe” , that I could not obviously run on linux, but I was curious about it.


Then I sent it to www.virustotal.com, and was astonished to see that only a very few AV engines were really detecting it.
(cf. http://www.virustotal.com/fr/analisis/e44f9eaa1e33c167e973bc726bd6779223a0c19fae8954d96c5c59b955c06e1b-1244674207 ).

Because of potential VM detection and protection that could be used by this malicious software, and that could complicate my analysis, I decided to send it to ThreatExpert.

And there was the real surprise. The report (see http://www.threatexpert.com/report.aspx?md5=1a155819851c1858d9fede9cf230d179) proved the binary file attempts in fact to modify the local host file, and inject one IP address as a mapping to several Internet domains, as follows:

The HOSTS file was updated with the following URL-to-IP mappings:
220.225.200.15 forex.vkontakte.ru
220.225.200.15 farmer.vkontakte.ru
220.225.200.15 vkontakte.ru
220.225.200.15 vkontakte.com
220.225.200.15 www.vkontakte.com
220.225.200.15 www.vkontakte.ru
220.225.200.15 www.farmer.vkontakte.ru
220.225.200.15 durov.vkontakte.ru

I found that strange, and it made me think I should also check the domains mentioned in the report.

My intuition was right: the real target of this malicious campaign is in fact the domains that are injected within the local host file.


As a proof of it, here is was I get in command line (on Vista):

C:\Users\Phil>nslookup
Default server :  resolver1.opendns.com
Address:  208.67.222.222

> www.vkontakte.ru
Server :  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name :    www.vkontakte.ru
Addresses:  93.186.227.123
          93.186.227.124
          93.186.227.125
          93.186.227.126
          93.186.227.129
          93.186.227.130
          93.186.224.233
          93.186.224.234
          93.186.224.235
          93.186.224.236
          93.186.224.237
          93.186.224.238
          93.186.224.239
          93.186.225.6
          93.186.225.211
          93.186.225.212
          93.186.226.4
          93.186.226.5
          93.186.226.129
          93.186.226.130

It is then very clear that the infected computers will not connect to the right IP when the users will type www.vkontakte.ru in their web browser, since the IP address specified within the local host file (220.225.200.15) will gain priority on the external DNS name resolving.


This attack is called DNS pharming (see http://www.consumerfraudreporting.org/pharming.php). Even if people detect and kill the exefile that is running in memory, they also have to check their host file for compromising. If the antivirus software did neither block that pro-actively, nor fixed it during disinfection, the attack will still be efficient.


And the other domains that are supposed to be injected within the local host file appear to be redirected the same way, while their official IP addresses should be:

> durov.vkontakte.ru
Serveur :  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name :    durov.vkontakte.ru
Addresses:  93.186.226.129
          93.186.226.130
          93.186.227.123
          93.186.227.124
          93.186.227.125
          93.186.227.126
          93.186.227.129
          93.186.227.130
          93.186.224.233
          93.186.224.234
          93.186.224.235
          93.186.224.236
          93.186.224.237
          93.186.224.238
          93.186.224.239
          93.186.225.6
          93.186.225.211
          93.186.225.212
          93.186.226.4
          93.186.226.5

> forex.vkontakte.ru
Server :  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name :    forex.vkontakte.ru
Addresses:  93.186.226.5
          93.186.226.129
          93.186.226.130
          93.186.227.123
          93.186.227.124
          93.186.227.125
          93.186.227.126
          93.186.227.129
          93.186.227.130
          93.186.224.233
          93.186.224.234
          93.186.224.235
          93.186.224.236
          93.186.224.237
          93.186.224.238
          93.186.224.239
          93.186.225.6
          93.186.225.211
          93.186.225.212
          93.186.226.4


Then you may say that I did not give details about the website that is being targeted by this attack. Right, it appears to be quite like the Russian equivalent of Facebook. You may indeed notice the common points in the way they were designed... (see screenshot  and compare to: http://vkontakte.ru)

It may also be worth pointing out that the malicious IP address (220.225.200.15) is supposed to be hosted in India, and have a bad “security reputation” according to Netcraft (cf.  http://toolbar.netcraft.com/site_report?url=http://220.225.200.15)

And to finish about the attack platform, you may already have noticed that if you just type the malicious IP address in your web browser, you will access each time a web page that looks like the real www.vkontakte.ru and that directly asks for your user credentials.


One could suppose the motivations behind this malicious campaign are user's credentials theft to spread unsolicited messages inside the Vkontakte network itself, spy people, or even sell identity theft data.


To conclude, it appears once again that people should not underestimate malicious software capabilities of spreading. They also should keep in mind that the bad guys will use any way that looks friendly and attractive to the user, to compromise his computer (and then get an access to the company's information system). IM is cetainly a good example of that.

As a response to that kind of IT risks, it is the mission of the computers security staff to protect people using IT, even against threats they are not even aware of, and to take into account anything a lambda user could try on his computer that could lead to infection.

Posté le 12 juillet 2009 par Philippe VIALLE - source Grandes Oreillles

Vous pouvez commenter cette nouvelle
en posant vos avis, questions et remarques
sur le forum actualité