The IM Hackers: How They Did It
by Chris Boyd, Wayne Porter
Part 2: Reworked IM infections
There is currently a wave of IM adware bundles that have been tracked as far back as October 2004. However, it looks like the group responsible for the current wave of these installers has been traced due to extended research by authors Christopher Boyd, Wayne Porter and by FaceTime's XBlock team, the FaceTime IMPact center, Roger Karlsson of Kephyr.com and the final piece of the puzzle, Jay Loden, who (by chance) was found by Boyd whilst conducting further research. Loden had in his possession a massive collection of files, photographs, screenshots, chatlogs and more besides, which is currently being used as exhibits A through Z in a potential police investigation.
Therefore, names, geographical locations and other personally identifiable information will not form the basis of these write-ups. The files, however, are fair game. And these articles will look to carry out in-depth studies of particular elements of this hacker group's methods, techniques and their payloads.The file in question that seemingly started all this is something called "Funneh.exe", though the files recovered from the hackers are (in truth) far more interesting in terms of understanding both what they hoped to achieve, and also how Funneh.exe came to be. This time round, we'll be looking at modified IM virus techniques, crossed with basic AIM "parlour tricks" to devastating effect...
In the Beginning
There was no light, but there was certainly some grey. IM exploits have been around for some time - however, the addition of Adware bundles to generate ill-gotten revenue is a fairly recent addition. Up until now, the impact of this had been somewhat small (the only real IM technique of note was this one, where a game forwarded a download link to contact lists). But with some detective work and the merest splash of imagination, it is entirely possible to build up a picture of both where this attack came from, and also some of the more disturbing implications of this attack vector.
The Game Begins
Looking at these attacks from a purely technical level, we can see the faintest of origins in this attack in a remote code exploit from August 2004, where an overlong away message in AIM could cause a buffer overflow and allow execution of arbitrary code. Although this vulnerability was fixed, it gained a lot of publicity at the time and as teens the world over use AIM, it is highly likely that groups of script-kiddies and wannabe hackers would be aware of this issue, yet lack the technical capabilities to develop new exploits based on this model. But if the basic idea of AIM away messages as an entry point should linger...
We now jump forward to March / July 2005, where we can see many forums and websites (often, gamer sites) full of similar AIM "gags", the bulk of which involve using the AIM Scripting language to pop up redirected websites, "funny" away messages (usually with obscene content) and much more besides. Now, there are many, many gaming clans that either use the game angle as a front for hacking / cracking activity (where they test the latest game-cheats into the bargain) or simply do both because they enjoy it. IM / IRC is the communication tool of choice for these groups, and it is fair to say any group involved in a touch of sideline-hacking would have a good working knowledge of IRC Bots / Trojans / delivery methods. Now, come with me as we step forward to...
Present Day Exploits
The IM hacker gang did indeed leave some tantalising clues as to where they developed the install attack vector. Pulling up some of their webpages, we can see the following - the now familiar AIM Away message "trick" from the forums, used in conjunction with a crude piece of HTM coding.
we can also see the IM gang exploring the idea of using referral links to make money. But this is still not enough to show us the origin of this technique - and trying to "view source" for the original page reveals nothing. But clicking "Back" in the browser leads you to a page looking strangely different. Why is this?
An IFRAME (a floating frame contained within a webpage) is employed in this case, which is why the source code has now magically appeared.
If we then go back to the "affiliate link" page, checking the source code (after clicking "Back" in the browser) doesn't work. However, viewing the page offline and checking the source gives us this.
So now we can see how hidden pages called from the original AIM link (leading to the initial "jump off" webpage) can potentially lead to whichever executable the hackers want using IFRAMES - in this case, the end result would be FUNNEH.EXE. For a simplified illustration of this technique, see below.
But...where did the IM hacker gang come up with this webpage code?
We're Going Back to the Start...
Do you remember the AIM buffer-overflow exploit? A more detailed copy of the code can be found here.
Two important parts to note here - one, how the original exploit functions:
"In our opinion the reverse connect (-r option) is the most dangerous
- because you can encode your ip address and pick a port, and then
- when the victim visits the evil web page...
- the attack will automatcially open his AIM even if its not already open and
- connect you to and then terminate the AIM process in uber-stealth mode
- the victim doesn't know what hit them..."
And two...the smoking gun, the piece of conclusive evidence that the IM hacker gang saw this exploit, probably didn't understand the more complex aspect of this hack and decided to combine
this code (taken from the buffer overflow) with the AIM parlour trick. Seem familiar?
"Hey d00d!" is the dead giveaway.
So now we know where, how and (to some degree), why.
The issue here is, could a group of sixteen year olds really come up with a scheme this complex? Who actually packed the FUNNEH.EXE installer? Who signed up to the numerous Adware affiliate programs? The people with the evidence are the various and programs and networks themslves. Giving the lack of credentials needed to enter into any online affiliate agreement be it adware or through a major aggregator it could be a band of crafty twelve year olds. Affiliate marketing has unfortunately been operated through a McDonald's drive-through window paradigm where neither the merchant or the network really know that much about their partners. It is not shocking that such abuses could take place and continue to do so.
There are reports coming in of unconnected videogame hacker gangs pushing links through IM, and reports of infections. Coincidence? Possibly. Though it does raise the tantalizing possibility that there may be a figure or set of figures in the shadows, pulling the strings and recruiting these groups of willing teenagers to help push the money-generating installers.
The final part in this series will explore the numerous Trojans, viruses and Bots found on the compromised server. Perhaps this will reveal the enigma of who or what entity created the installer. Then again, we may just end up with more questions that need to be answered.
noted this article is Copyright © 2018
by FaceTime Communications, Inc. This article may not be resold,
reprinted, or redistributed for compensation of any kind without
prior written permission from FaceTime
Communications, Inc. For reprint or media inquires please contact
us with the phrase "Spyware
Guide Articles" in the subject line and we will by happy
to assist you. Links to this article from other websites are appreciated
and encouraged. Users are also encouraged to utilize our RSS
system to provide unique content and extracts for their site.
Read other articles (back to