Representative Expression

New variant of Trojan via Hotmail Instant Message

Be warned and on the lookout for a new round of Hotmail accounts being hacked and suspicious links being sent to you from your contacts.
You might receive a message from a known contact that will contain a link to what initially appears to be a to a profile picture.
What it is actually doing is trying to get you to download a windows Trojan.
Hotmail Message from Hacked Account

The message you will receive could look something like the following:

The text will say something similar to the above: "ahha is this you?? hxxp://images-id.com/profile.php?=yahoo:shinerweb@yahoo.com"

How does the attack work?

If you receive the above message or similar, because it has come from a "trusted friend" in your Hotmail contact list, you are probably likely to believe the link to have come from them.
Most people will just click on the link, but don't worry, you haven't been hacked just yet. In this case of this attack it actually requires you to install it, but believe it not, many people will do just that.

In this instance, clicking on the link above will download a self-extracting zip file to your PC. (Yes, we are talking a Windows Trojan here).
But you still haven't infected your PC. You now have to actually run the self-extracting zip file by navigating to the location where it was downloaded and clicking on it. (Some chat programs allow you to open the downloaded file by simply clicking on it from within the chat program).
But you still haven't been infected if you do just that. All you have done is to extract the actual virus to your PC.
It still requires you to now navigate to where the file was extracted and open it.
Only now will you have infected your machine.

At the time of writing, only one anti-virus vendor was giving a warning, with two other vendors marking the file as suspicious.
It will take most of the leading Anti-virus companies up to another 6-12 hours before they release new definitions to catch this one.
It will probably be a few days before the rest of the bunch catch up with some taking up to a week.
So even if you have the most up-to-date virus definitions, you are not going to detect this trojan just yet.

Despite the number of manual steps involved in order to become infected, many hundreds of thousands of users around the globe will still do just that.
Some will do it primarily because the link and the files came from someone in their Hotmail contact list that they probably trust.

So why did my Hotmail contact send me this link?

Actually, your contact didn't. The bad guys have gained access to your contacts username and password and have control of their account.
There are a number of ways that the bad guys can gain access to these details.

Trojan: The payload in this instance is a trojan that installs other software to capture personal information from the infected machine. The user could already have been infected with this trojan or another similar and the Hotmail account details stolen (via a Keylogger for example).

Phishing: There have been a number of incidents already this year whereby legitimate sites have displayed adverts or malware inserted by the bad guys. This presents the visitor with a dialogue box very similar (almost an exact copy) of the Hotmail Login screen. The user then blindly enters their Hotmail Username and Password. The bad guys scripts will then usually display a failure message before redirecting the visitor the genuine Hotmail Login screen. But by this stage it is too late, they already have your Hotmail account details.

In this instance, this is what I suspect to have happened in that the user has fallen foul of a phishing attempt on a site they have recently visited.

The short answer is that your Hotmail contact did not send you the message. In fact, they probably have no knowledge what-so-ever of any messages being sent to you.
They will probably tell you that they didn't even have their computer switched on at the time so it could not have come from them.
The bad news is that it didn't need to be. The bad guys already have their username and password and they use a program of their own to login and send the messages from any computer they like.

At a later date, I will post an update on how to prevent or reduce the chances of falling foul of these types of attacks.
Some quick advice though is:

• Never to trust any files sent by friends no matter how much you trust them. It might not be them sending it in the first place.
• Always have your chat program configured to run an anti-virus scan of ALL downloaded and transferred files. (Though this would not have protected you in this instance).
• Any file you are not sure of, upload it to Virus Total and see what they have to say about it.
  

The information below is the technical information about how the virus works.