Re: IM upgrade automated social engineering attack

[Dragos Ruiu <dr () kyx net>]

On Tuesday 06 November 2007 02:37, Roman Shirokov wrote:
> Hey all
>
> I confirm that, I received several messages as well. The text of
> message is:
>
> WINDOWS REQUIRES IMMEDIATE ATTENTION
> =============================
>
> ATTENTION ! Security Center has detected
> malware on your computer !
>
> Affected Software:
>
> Microsoft Windows NT Workstation
> Microsoft Windows NT Server 4.0
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Win98
> Microsoft Windows Server 2003
>
> Impact of Vulnerability: Remote Code Execution / Virus Infection /
> Unexpected shutdowns
>
> Recommendation: Users running vulnerable version should install a repair
> utility immediately
>
> Your system IS affected, download the patch from the address below !
> Failure to do so may result in severe computer
> malfunction.http://www.alertmonitor.org/?q=updatescan
>
> > With all the proliferation of phone home for update systems in
> > even trivial software packages these days, neophyte users
> > can easily get confused about legitimate upgrades and imposters.
> > So someone is trying to take advantage of this with an
> > automated version of an old school social engineering
> > attack via Skype spam.
> >
> > Someone/something/.someone's-botnet on skype last night
> > contacted users who reported it to me. The messages were
> > formatted to resemble Microsoft update messages or an AV scan
> > with a link to click to update and/or repair malware in a number
> > of Microsoft products. None of the users who reported it to me
> > clicked on the link so its not clear what the installed malware
> > was after.
> >
> > A series of users with the name "Scan Alert" followed by the registered
> > trade mark sign originating from a numeric range of skype userids
> > following the form:
> >         scan.alert.o<number>
> >
> > ...have been sending these unsolicited messages. These id's seem
> > to be registered in the US. Please warn your users to ignore and be
> > wary of social engineering attacks purporting to be upgrades via
> > IM, because without doubt the persons behind this will try other
> > variants.
> >
> > A little bit of googling indicates these folks have been active for
> > at least two weeks.
> >
> > cheers,
> > --dr

That text came from a worm that Symantec and FSecure alerted about 
and put out an advisory about (and there was a story on PC World
 too as I recall). (One of the web vuln scanner folks also put
an advisory but I forget whom now, sorry).

What was interesting to me about the reports I got was that
it sounded like someone was using the worm ids as noise to
send other messages, to look like _update_ messages not AV. 
Maybe experimenting with a new version? Using the worm
as cover for a targeted attack? Unfortunately this is all
verbal descriptions, and not very accurate ones, so I 
can't verify this.

Also a quick search for IDs on skype also shows that
there is another sequence of IDs in the form:

    system.scan.c<number>

But this also begs the question, why haven't the security
folks at Skype shut these down already, as they've been
active for weeks, and people are submitting abuse reports
about them?

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan   November 29/30 - 2007    http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp