Video Screencast Help
Security Response

Keylogging at the Habbo Hotel

Created: 20 Feb 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:11 GMT
Peter Coogan's picture
0 0 Votes
Login to vote

Social networking Web sites have become apopular pastime and are a means of staying in touch with friends formany people. Yesterday, Websensereported on a Trojan keylogger aimed at users of Habbo, a popularsocial networking site for teenagers. This is not the first timeteenagers and children have been targeted. One of the first instanceswas a worm called W32.Pokey that used the Pikachu character from Pokemon as a social engineering tactic.

In the Habbo case, users are duped into believing they are gettingtools that will give them the opportunity to make a name for themselvesin Habbo without having to fork out the costs. In fact what they aregetting is a malicious Trojan horse program that logs keystrokes on thecompromised computer and sends the logs to the following email address:

NuckLfYaBuck@aol.com

Symantec detects this risk as Infostealer.Keyhabt.Upon analysis of the purported Habbo tools, Symantec found theexecutable files to be custom written and identical. The executable,once executed, drops a DLL into the System32 folder. The DLL inquestion is remarkably similar to a DLL seen in another risk whichSymantec detects as Spyware.SCKeyLogger. However, it is unlikely that this DLL comes from the same company.

As always, Symantec recommends caution when using third partyapplications. Symantec has also in the past examined the use of socialnetworking sites in the workplace and business. For further informationplease refer to our Ask the Expert document.

Thanks to Takayoshi Nakayama and James O'Connor for their analysis.