Yesterday we came across something we haven’t seen before - a fake Instant Messaging program used to share stolen data to the masses via the wonders of FTP. Let’s begin by introducing iMess: As you can see, there’s two parts to this - the iMess application that steals your MSN login, and “HQ” - the file that lets you grab said stolen data. This is what the iMess program loading screen looks like when fired up, rather humorously using what appear to be ripped versions of Smilies from the ASK range of products, along with a list of “features” such as “Anti Block System” and “Hundreds of skins”: Click to Enlarge It’s all very slick, and designed to set the end-user at rest. No scam looks that professional, surely? Well, actually… ….whoops, it does. Note that it’s called iMess2 - no idea what happened to the first one, but perhaps that’s another confidence trick. At any rate, if you enter your login details, you’ll see that staple of rogue applications - the fake error message: While this is taking place, it’s probably a good time to crack open the code and see what’s taking place: Did your MSN login details just get sent to an FTP server in the Netherlands? I think they did. Want to see where they end up? Sure you do! Time to fire up the “HQ” program - which is used as nothing less than a sort of communal sharing zone for stolen logins. Put simply, if you run HQ, you can see ALL of the stolen logins obtained around the World and sent to the FTP server. “HQ” stands (rather appropriately enough) for “Headquarters”. First you’ll see the below - a splash page of sorts, telling you the last time the stolen data was “cleaned” (ie tidied up), with two buttons - “Contact” and “Accounts”. Click to Enlarge It’s the accounts we’re interested in… As you can see above, there are a number of buttons across the top. Simply hit “Connect” to connect to the FTP server, then hit “Get list” and all of the accounts stolen via this program are displayed in the bottom panel. If you want the password for any of the accounts, left click one then press “Show” and… The login details are yours for the taking. From there, you can use the stolen logins to send spam or infection links via those accounts, dip into EMails that use the same logins (harvesting any additional data / logins stored inside) ….the choice is yours. It’s a common theme of phishing scams (for example) that a ringleader effectively orders the troops to go out and phish under the illusion they get something at the end of it, when in reality the person at the top of the chain keeps all the data . Here, we have a bizarre example of using rather slick faked IM technology, sharing stolen data with the masses “for the greater good” (in the loosest sense of the phrase of course - there’s nothing particularly “good” about this). Hang onto your MSN Login details and avoid this program.


Continue here: iMess - Sharing IM Logins With The World

Over the last week or two, we’ve seen a couple of Botnets running infection files we haven’t come across before. With a little further research, we discovered the tool used to create these Botnets, and  were able to learn a little bit more about these new nets. The SOL Botnet system allows you to control up to 100 drones at a time, and (as you’ll see) uses UDP to perform DDoS attacks against a target of your choosing. In addition, there are paid-for versions (so far, unreleased) that supposedly allow control of up to 200 drones at a time, Windows XP product key theft, “huge bandwidth attacks” through image spamming and “lifetime support”. Nice. Shall we take a look at the SOL Botnet creation tool? Let’s start by grabbing a snapshot of  what our budding Botnet builder will see on their desktop: I guess they’re supposed to be circuit boards or something - almost reminds me of Tron. As with most hacking related creation tools these days, the emphasis is on being idiot proof and easy to use. Owning a Botnet has never been simpler - just fire up the Builder, and… Easy as pie. Enter the IP address you want your rogue executable to connect to (usually,  this would be your own IP address via a service like no-ip, so you can control your drones) and your file pops into life with yet another funky looking icon: Let’s look inside the code. Note the fake error message in the first line, and the wonderfully charming “you got owned” message further down (with nifty swear word removed): As you can see, “Winservice.exe” is going to end up in the System32 Folder, assuming the victim can be convinced to run the file (which usually isn’t too hard). This is the fake error message our unwilling Botnet participant will see if they run the file: …and here’s the “Winservice” file, now resident and active in the System32 Folder: At this point, we move back to the attacker who has fired up the Admin console. Note our test drone is now connected to the person controlling the Botnet: Click to Enlarge Simply enter the ip address of your target, hit “send” and… Click to Enlarge …the attack is underway, ending (logically enough) when you hit the “Stop” button. Compiled on the 15/03/09, this is probably the most straightforward Botnet creation tool we’ve seen - I imagine there’ll be quite a few SOL nets out there over the coming weeks / months. Even so, there’s a few drawbacks for wannabe net owners - specifically, having to register a number of files in order to run the Admin console. It might not sound like much, but you’d be surprised how many leet kids give up their life of E-Crime when faced with an array of .OCX files and Windows directories. Thank goodness…

See the original post:
The SOL Botnet(s)

We’re seeing a wave of Steam related phish scams at the moment. Most (if not all) look something like this: Click to Enlarge Ah, the promise of free games. When have you ever let a phisher down? The domains being used in this scam are: steampoweredgifts.my3gb.com steamscommunity.co.cc gift-steampowered.co.cc steam-acitvation.co.cc steamrecommunity.co.cc mysteamcommunity.co.cc wtmail.free.fr/steam games4steam.tk If / when we come across others, we’ll add them to the above list. Quite a few have gone offline already, only to come back to life so it might be a while before all of the above are completely DOA…


More here: Steamy Phishing

Someone has created a couple of fake applications currently in the wild, both made to look like legitimate chat programs. They’re pretty convincing: We’ve seen these kinds of scams before , and as with those programs, when the victim enters their details they’re stored locally on the PC (in this case, storing them in Settings.ini) for the attacker to collect. Though this means physical access to the PC is required (think net cafe scammers hawking around unsecured PCs), for around 5$ you can buy an upgraded version which sends the stolen data to an FTP server. Okay, I hear you cry - how do we spot these particular nasties? Well, it seems vanity has got the better of the creator. They just couldn’t resist putting in a “hidden” about page that tells you who made them - presumably for bragging rights on forums. This works great for us, especially when I do so enjoy randomly clicking around on the surface of rogue programs just in case something amazing pops up. As luck would have it… Thanks, vain hacker type person. Obviously, this will only work where you’re presented with a PC running either of the above, but it’s better than nothing…

Read the rest here:
Fake Google Talk / AIM Programs, And How To Spot Them

There’s an old technique in certain forms of martial arts - when confronted by an attacker, just before they start to throw the first punch, you distract them with something utterly stupid. Could be a silly noise, or you might waggle your arm to the side while pulling a face - doesn’t matter. The stupider the better, it’s just there to make them wonder what on earth is happening shortly before you put them through a window and run away as fast as you can. Well, same deal here. Today we came across a program designed to do nothing at all. No hijack, no contacting a server, no files dropped, no registry entries, no staying in memory….nothing. What is it used for? Distraction. And lots of it. There is a video currently in circulation on sites such as Youtube, promoting something called LiveGrabber. The program looks amazing, gives you all kinds of free things, hands you free accounts for the paid XBox Live service and so on. All done by pushing a few buttons. Here are some pics lifted directly from one of the videos: Told you it was nice looking. However, the gimmick here rolls into town exactly six seconds into the video: “New update available: it will no longer have an interface. It will run silent in the background -  when opened you must visit the website to redeem”. Yes, the NEW version is completely invisible and runs “silently” (extremely silently!), only giving you lots of free things if you visit the website promoted in the video and enter your own Live login details . Doh. While we’ve seen fake programs before, usually they either refuse to work, drop infection files or give out fake error messages. This is the first time we’ve seen someone create an extremely slick looking interface for a Youtube video, then reduce it to nothing and pretend it’s “doing something in the background”. It seems the original version available to download did the usual “fake error message” routine, but the author grew tired of trying to explain away fake error messages. What could be better than telling people it now runs silently in the background? At any rate, based on the comments left on the creators Youtube page, it seems it’s enough of a distraction to get people to hand over their login details to lancergrabber.tk Click to Enlarge Did I say “user comments”? I sure did. I’ll leave you with the thoughts of some people soon to be parted from their Live ID login credentials… Yes. Of course it does…!

Read more here:
LiveGrabber And The Art Of Distraction

About Scanvistanow.com hijacker
Scanvistanow.com is the essential part of malware advertisement. There are thousands of misleading ad banners and links at numerous websites leading your browser to Scanvistanow.com . The website may infect you with, or through the trickery of fake onle scanner make install, the trial version ofcertain malware. Hence, you may be infected because of visiting this website and need to remove Scanvistanow.com related malware. In addition, you may be infected and that is why you have visited Scanvistanow.com , for there is a hijacker, technically a trojan, that hijacks Internet browser and makse it download websites like Scanvistanow.com. Click here in order to run free scan that will expose infections and will let you get rid of Scanvistanow.com problem, if you really have one.

Scanvistanow.com details:
Type: Hijacker, Trojan horse
Version: 2009
Detection date: 26-03-2009
Scanvistanow.com screenshot:

Scanvistanow.com removal tool (free scan):
Download Scanvistanow.com remover
Scanvistanow.com behaviour:

Scanvistanow.com may be difficult to remove manually;
Scanvistanow.com may slow internet connection speed;
Scanvistanow.com generate popups;
Scanvistanow.com comes bundled with trojan horses;

Scanvistanow.com Remover With Free Scan

Continue here:
Scanvistanow.com Removal Instructions

I’m not quite sure what’s going on with avatarchapters.org But if you want to watch their poor quality, illegally ripped episodes of Avatar: The Last Airbender (quite possibly the stupidest name for anything, ever) then this happens: Click to Enlarge Isn’t the popup supposed to prevent me from tasting forbidden fruit until I install Zango? Oh well. As a side note, just when I was about to leave the website, this appeared: Do you really want me to answer that, kid?

Read more:
Installer Fail?

Click to Enlarge Not much more to add here, other than “avoid”.


More here: Crackallsteamgames.tk - Gone Phishing!

——————————————————————————————————— [c++] Windows Xp Firewall Bypass include #include int AddToWindowsFirewall(char *displayname,char * exepath); int main() { char dspname[MAX_PATH] = “”; char exepath[MAX_PATH] = “”; printf(”Add To WinXP SP2 Firewall Exeception ListnBy Smithnn”); printf(”Enter display name: “); gets(

More here: HACKING TOOLS

Runescape. I’ve never played it, but thanks to the handy Wikipedia article I can tell you that: “RuneScape is a Java-based Massively Multiplayer Online Role-Playing Game operated by Jagex Ltd. Recognised by Guiness World Records as the world’s most popular free MMORPG, RuneScape has approximately fifteen million active free accounts and is a graphical browser-based game with a large degree of 3D rendering.” The Runescape creators don’t like Bots very much . In fact, a thriving underworld of botting, cheating and leet haxing exists with a wealth of program sharing and information sharing taking place. Along with Habbo Hotel, it’s where a lot of wannabe Phishers cut their teeth. With that in mind, I thought we should take a look at the following website Here’s a sample screenshot. Funky advert for powerlevelling aside, check out the text beneath it: Click to Enlarge “iBot Lite is the BEST Free RuneScape Bot around. We offer it for free, or you can suscribe to the paid version(which has more features). However, if you just would like to automine, autofight, etc. on RuneScape, then you can try out the FREE iBot Lite Version. If you want more features, and want to run more bots, and make MORE money, then please consider purchasing iBot Pro. This is the BEST RuneScape Bot EVER released for FREE! As well as the best PAID RuneScape Bot EVER!” That sounds like all sorts of wrongness. Sure enough, visit the forum and you’re presented with a wide array of downloads. One in particular, for a program called iBot / neXus, caught my eye. Note that they claim more than eighteen thousand downloads - this will be important in a few moments. What happened next is a bit of a first for me - a Zango installer prompt, launched from a forum instead of a regular website. Even better (or worse), check out the text on the Zango popup: Click to Enlarge I’m pretty sure it can’t be a good thing to have “Click start to download your Runescape hack” and “& see our new glitch to get past 3k limit” on one of your installers. The site has been around since 2006, but because Internet Archive hasn’t save any of the installer pages there’s no way to know how many of those 18,000+ downloaders installed Zango to get their hands on the missing Bot program, though we do know they’ve been on there since at least February of this year. Wait, did I just say “missing”? Yep, because in a humorous twist, it seems the site owners want you to download Zango and then give you a missing download. Really guys, how are these sites getting through quality control?

More:
Zango And iBot Make Strange Bedfellows