Instant messaging (IM) applications are widely used nowadays, and while more and more people use them, they’ve also become increasingly feature heavy. Besides the original chat function, IM applications have also integrated other useful features such as blogging, photo albums, online games, etc. More functions enhance the user’s Internet surfing experience, help people to share information and thoughts, and even allow users to manage their assets online.
While people are enjoying the convenience brought by advanced technologies and services, hackers are also aiming at the information that people are increasingly putting on the Internet, especially when the information is profitable. Online account information is definitely one of them.
A recent security event is a warning to us all. It was discovered that people’s IM account information is available online by searching keywords such as “[IM USERNAME] password txt filetype:txt.” Hundreds of search results are returned containing the details of the requested information. Moreover, some of the information has proven to be valid and could be used to log in and manipulate the accounts.
How did the stolen IM account information become available on search engine results? Analysis has shown that after attackers stole the account information using a Trojan horse, they stored the stolen information in the text file on certain FTP servers or transferred the file via email. And servers that store the information often have very loose access permits or sometimes have even no restrictions at all. Thus, once the files that contain the stolen information happen to be indexed by search engines, they’ll then become available to be queried, and could be easily downloaded and viewed.
There are a number of Trojan horses that aim to steal IM account information. We’ve analyzed one of those Trojans to show you how it works:
Firstly, the Trojan horse arrives on the compromised computer by masquerading itself to look like a real IM client. After the fake IM client is executed, it creates a shortcut on the desktop using exactly the same name and logo as the shortcut created by the real IM so that it looks like the real IM application. Meanwhile, a login window pops up and prompts the user for the login details. This window again looks the same as the real login interface, except that on the fake window, only “User ID”, “Password” and “Login” fields/buttons are active; all other buttons/links, such as “Password Stealer Scan”, “Apply For New Account” and “Forgot Your Password?” are disabled. This already differentiates the fake application from the authentic IM application login window. Unfortunately, users usually ignore these factors. Therefore, the fake login window could still fool a lot of users.
We tested the fake IM application by entering a random ID “123456789” and password “test account.”
As soon as login is clicked, the malicious program starts to record the account information “user=123456789&pass=testaccount” and connects to the malicious server “qazx.ok[REMOVED].net” to transmit the stolen credentials.
At the malicious server end, it collects all the information sent by Trojan horse clients, and stores them into a text file ala the text file mentioned at the beginning of the blog. If these text files are not well protected, the information would become available to everyone on the Internet, and the negative impact to the original account owner could be even worse.
To prevent such a security incident from happening, always download the IM application from the official website. Avoid downloading altered versions with alleged add-ons or fancy functions from unauthorized third-party websites. Furthermore, keeping your antivirus software up to date with the latest definitions is always recommended. Stay safe online, and have more fun by using IMs!
Big thanks to Xie Xiaojun for the virus analysis.
Message Edited by Trevor Mack on 05-27-2009 05:40 AM