New trojan on MSN March 2010

Ståle Hansen 1 Comment

[tweetmeme source=”stalehansen” only_single=false] March first 2010 Telenor TSOC discovered that a new worm was on the loose on Windows Live Messenger. This time it is in your native language and therefor the probability of users actually clicking on the link is much greater. The worm sends a link from one of your contacts in MSN and if you click it a trojan will be downloaded to your PC and install itself. This is a huge risk for businesses that allow users to use Windows Live Messenger in their company network. If one PC get compromised in the internal network the possibility for it infecting other PC’s is even greater. This is one of the main reasons to implement OCS 2007 R2 as the only business solution for chat. Some arguments are:

  • Encrypted internal chat solution
  • All traffic stay inside you organization
  • Can federate and chat with other organizations in a secure manner
  • Can add global rules for blocking links, file transfers and unpatched clients
  • Can add MSN contacts and be sure that messages with links is blocked server-side

In addition to secure chat OCS gives the businesses the ability to implement Unified Communications and is therefore way more than just a chat client.

About this trojan

First you get a message from one of you contacts saying, seen this?? :D  and it links to hxxp://www.facebook-c.com/image.php?Photo023girl.JPG. The trojan adapts to the language on the computer and will display the text in you native language. In norwegian it will be se på dette bildet :D with the link following. The link points to a site at Yahoo and so the links was live for a day or two. It still was a huge security risk. The trojan is written in Visual Basic and executes a C++ program. It installed itself as c:\windows\winmbu.exe and granted itself access through the local firewall. The program gave the owner of the trojan access to

  • Communication with C&C over the IRC protocol
  • Sending of messages over MSN and Yahoo messenger
  • Download and run files on the infected computer

At release date only 13 of 41 antivirus products detected this file. So even with an updated antivirus on the local computer 69% of the antivirus solutions would not have detected it.

Link to official article in norwegian: http://telenorsoc.blogspot.com/2010/03/trojaner-spres-via-msn-messenger.html
Link to the antivirus protection overview: http://www.virustotal.com/analisis/89c677bc0044864d80244aee8201661e79f431f33c3b164aa778f363fe1cf9da-1267474859

One thought on “New trojan on MSN March 2010

  1. This is a really interesting. I’m actually gethering up a list of posts on this and making a reference blog. This is going to be at the top of the list. Thanks.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.