[Plug-security] Slightly OT: WIN32 IM Trojans

Gontran plug-security@lists.PLUG.phoenix.az.us
Fri, 2 Nov 2001 09:37:58 -0700 

Continuing the 'Win32 IM IS NOT SAFE' thread...

Couple of months ago my wife was sent some kind of MSN IM trojan via the
usual upgrade path -- though her version was current, and no new releases
were mentioned on the appropriate website.  This seemed an isolated incident.

This morning via 'libnet' listserv, as part of a long and rambling post
by one Mr. Craig Carey I read of even further anecdotal evidence that Win32
IM messaging may not be a 'safe thing'.

---- * Craig Carey (research@ijs.co.nz) wrote: ----
> [ ... regarding libnetNT issues ... ]
>
> PS. the Yahoo Messenger IS a trojan and I got decent evidence that
> Yahoo activated it inside my PC in an attempt to download data.
> They sent a fake Code Red probe from India at the time as if
> believing that they are mainly targeting PC's inside of
> networks. The conversation I had about 2-3 hours earlier could have
> given them a motive to attack. They were going to upload via port
> 21 and with the www.dishaonline.com reflector in India, they might
> have been able to use any port number. The Yahoo Messenger renamed
> itself, quite possibly in memory. A simple stealth technique. I
> was not running any protecting program but I caught it by observing
> a marked slowdown of my PC that lasted for seconds.
> 
> Some comments and a script to split up *.EXE/*.DLL files and find
> out what is encrypted/noncompressible:
> http://www.escribe.com/internet/proxy-methods/m2908.html
> 
> The Yahoo Messenger's ycrwin32.dll file and YServer.exe files, could
> be the parts that implement the Y!-Trojan feature. After some e-mailing
> of F-Secure, they eventually stated that they refused to investigate.
> They are not even a US company.
> 
> I believe that Yahoo was motivated by a desire to track down
> piracy of Microsoft software. I suppose that Yahoo and Microsoft have
> a mutual agreement to help Microsoft out using Yahoo's Trojans. When
> I analysed the Microsoft MSN Messenger, it is contains a lot of
> encrypted code. If it blows up on them, Yahoo can lose a single file
> where I guess Microsoft might lose the whole messenger.
> America Online uses encryption too. This Mercury Express messenger
> seems quite suspect, with 31% of its code being encrypted:
> 
>     http://www.mercuryprime.com/products/Razius_Express.zip
> 
> I suppose there is a real shortage of private sector trojan software
> for Linux
> 
> I wrote to abuse@yahoo.com but they did not reply. I was also
> writing about winpcap and the Saudi censoring unit,
> http://www.isu.net.sa/ so really perhaps the Libnet program is indeed
> a covert operation. If I keep criticising China I might even get
> my mailing list expelled from Yahoo's domain. One has to question
> the intelligence of the US hackers for not blowing the whistle and
> the crackers too.
> 
> 
> Craig Carey
> Secrecy is paramount, unless not
---- */Craig Carey (research@ijs.co.nz) wrote: ----

Related linux applications:
LMME (linux mxn mesxenger engine): http://messiah.2y.net:81/lmme/index.html
GNUYahoo!: http://gnuyahoo.sourceforge.net/

Gontran
--
The advertisement is the most truthful part of a newspaper              
 	- Thomas Jefferson