[tweetmeme source=”stalehansen” only_single=false] March first 2010 Telenor TSOC discovered that a new worm was on the loose on Windows Live Messenger. This time it is in your native language and therefor the probability of users actually clicking on the link is much greater. The worm sends a link from one of your contacts in MSN and if you click it a trojan will be downloaded to your PC and install itself. This is a huge risk for businesses that allow users to use Windows Live Messenger in their company network. If one PC get compromised in the internal network the possibility for it infecting other PC’s is even greater. This is one of the main reasons to implement OCS 2007 R2 as the only business solution for chat. Some arguments are:
- Encrypted internal chat solution
- All traffic stay inside you organization
- Can federate and chat with other organizations in a secure manner
- Can add global rules for blocking links, file transfers and unpatched clients
- Can add MSN contacts and be sure that messages with links is blocked server-side
In addition to secure chat OCS gives the businesses the ability to implement Unified Communications and is therefore way more than just a chat client.
About this trojan
First you get a message from one of you contacts saying, seen this?? :D and it links to hxxp://www.facebook-c.com/image.php?Photo023girl.JPG. The trojan adapts to the language on the computer and will display the text in you native language. In norwegian it will be se på dette bildet :D with the link following. The link points to a site at Yahoo and so the links was live for a day or two. It still was a huge security risk. The trojan is written in Visual Basic and executes a C++ program. It installed itself as c:\windows\winmbu.exe and granted itself access through the local firewall. The program gave the owner of the trojan access to
- Communication with C&C over the IRC protocol
- Sending of messages over MSN and Yahoo messenger
- Download and run files on the infected computer
At release date only 13 of 41 antivirus products detected this file. So even with an updated antivirus on the local computer 69% of the antivirus solutions would not have detected it.
Link to official article in norwegian: http://telenorsoc.blogspot.com/2010/03/trojaner-spres-via-msn-messenger.html
Link to the antivirus protection overview: http://www.virustotal.com/analisis/89c677bc0044864d80244aee8201661e79f431f33c3b164aa778f363fe1cf9da-1267474859