Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2010  
January February March
     
     
     
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

The what-bot


  Yury Namestnikov       September 10, 2009 | 10:28  GMT

comment  

Late on Monday, a lot of Russian ICQ users got sent this message:

Woland (23:07:23 7/09/2009)
Link to download the file Frogs.rar
http://file.qip.ru/file/*********/********/Frogs.html
[-- File sent via file.qip.ru. More details on the site: http://file.qip.ru --]

If you've been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you're going to try and check in some way whether it's really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone's come across CAPTCHAs, a reverse Turing test. Of course, if you're on ICQ, you're not going to use an image to check who's on the other side of the screen, but you can ask a challenge question – after all, a computer can't actually answer questions, can it?

But there's a problem with this – if you get sent a link to a file, you're going to automatically ask "What is it?" And this is where it gets interesting: the bot behind the link didn't have any trouble answering this question.

Yuk(23:07:28 7/09/2009)
What is it?

Woland (23:07:28 7/09/2009)
An optical illusion puzzle funny )

This answer sounds pretty human, so why not download and run the file? The puzzle looks like this:

The frogs are just there to divert your attention. Working out which way they should jump is a nice little time-waster. But while you're doing that, some malware (we detect it as Hoax.Win32.IMPass.al/ Hoax.Win32.IMPass.am) bundled in the package is quietly stealing your ICQ login and password. And once it's got those details, your password gets changed, and then the same link starts being sent to all your contacts from your account.

The bot's not as intelligent as it first seems: it's only able to answer questions which contain one of the following words: «что», «чо», «чё» , «че» , «шо» , «що» и «чито». (The first is standard Russian for "what" – the others are slang widely used on the Russian Internet.)

The whole thing is a neat little lesson: security doesn't just depend on checking whether links were really sent by your friends, but also on thinking up challenge questions that no bot could ever answer!

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com