Security threats Toolkit

Story: Hotlan Trojan defeats captcha

Posted by: secumind (Thursday 12 July 2007, 10:29 AM)

The creation of email accounts is probably semi-automatic

In my humble opinion, captcha is not circumvented: the creation of email accounts is semi-automatic:

Explanation:

1) Seen on http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

BitDefender declares :
"Viorel Canja, head of BitDefender's anti-virus labs, said there are "only" about 500 or so new accounts being created in this attack every hour , and 15,000-plus Hotmail accounts had already been used.

I think that the attack could be semi-automatic: automatique resgistration, automatic display of the captcha in a simple GUI, MANUAL entry of the captcha value, automatic validation, and so on.

500 email account per hour is one every 7 seconds: just enough for a person to enter a captcha value on the keyboard.
To the rythm, you only have to pay a few dollar some "dumb" people to do the job.

2) Some interpretation of the BitDefender's declaration are not always objective:

Seen on http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

BitDefender declares:
"The Trojan uses automatically generated accounts, suggesting that spammers have found a way to bypass the captcha systems," the company said in a statement.

=> "Uses" => account are already generated. "Automatically" and "suggesting" are confusing:

there is no proof that the accounts creation is automatic (500/hour is very few for an automatic process) => no proof that the captcha system is circumvented.

Watch carefully the Trojan descritpion on the BitDefender's website. YOu can see that it is confirmer that it uses EXISTING account

http://www.bitdefender.fr/VIRUS-1000154-fr--Trojan.Spammer.HotLan.A.html

" SYMPTOMS: There aren't any obvious symptoms of this malware, except increased internet activity;

TECHNICAL DESCRIPTION:
The trojan reads from http://[BLOCKED]/wemail/index.php a custom script which it tries to interpret.
The script provides the following main actions:
- logon into an existing email account (@hotmail, @yahoo or @30gigs);
- read from http://[BLOCKED]/base.php coded information about an email to send (To:, Cc:, Subject:, Body:);
- decode the email and send it;
- try to create new email account(@hotmail, @30gigs, @google);

Email accounts have the following pattern:
- @hotmail.com - swift3409494vlad45@hotmail.com
- @yahoo.com - ClaudiaWilder85@yahoo.com
- @yahoo.com - LeonardFernandez@yahoo.com"

So we are far away from some interpretation, were it is said that the Trojan creates the email accoutn itself...

http://www.net-actuality.org/news/5666-hotmail-et-yahoo-pris-pour-cible.html

" En détournant le système de sécurité « Captcha », qui ordonne la reconnaissance de lettres sur une image avant l'ouverture d'un compte, ce virus est capable de créer à la volée des comptes mail , jusqu'à « 500 nouveaux comptes sont créés chaque heure » précise Viorel Canja chercheur chez BitDefender."

View complete profile

Private message disabled

View all posts