New spam trojan hits Hotmail and Yahoo 12:58PM, Friday 6th July 2007

http://www.pcpro.co.uk/news/119172/new-spam-trojan-hits-hotmail-and-yahoo.html


New spam trojan hits Hotmail and Yahoo 12:58PM, Friday 6th July 2007
Hotmail and Yahoo accounts have been hijacked to send out tens of
thousands of spam messages, according to security firm BitDefender.

The two webmail providers have fallen victim to a new trojan called
Trojan.Spammer.HotLan.A.

The malware not only generates new webmail accounts automatically but
has also found a way around the anti-spam CAPTCHA system, which
requires people to enter the letters depicted in an image.

The trojan reportedly accesses the webmail account, pulls encrypted
spam messages from another website, decrypts them and then sends them
out to legitimate email addresses. The messages send users to a site
selling pharmacy products.

hour," claims, Viorel Canja, head of BitDefender's Antivirus Lab. "But
still, we've seen 15,000-plus Hotmail accounts being used so far. It's
hard to estimate how many spam e-mails have already been sent."

Microsoft couldn't be reached for comment, while a Yahoo spokesperson
said he would investigate the claims before commenting.

New spam trojan hits Hotmail and Yahoo 12:58PM, Friday 6th July 20

In my humble opinion, captcha is not circumvented: the creation of email
accounts is semi-automatic:

Explanation:

1) Seen on
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

BitDefender declares :
about 500 or so new accounts being created in this attack every hour , and
15,000-plus Hotmail accounts had already been used.

I think that the attack could be semi-automatic: automatique resgistration,
automatic display of the captcha in a simple GUI, MANUAL entry of the captcha
value, automatic validation, and so on.

500 email account per hour is one every 7 seconds: just enough for a person
to enter a captcha value on the keyboard.
To the rythm, you only have to pay a few dollar some "dumb" people to do the
job.

2) Some interpretation of the BitDefender's declaration are not always
objective:

Seen on
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

BitDefender declares:
have found a way to bypass the captcha systems," the company said in a
statement.

=> "Uses" => account are already generated. "Automatically" and "suggesting"
are confusing:

there is no proof that the accounts creation is automatic (500/hour is very
few for an automatic process) => no proof that the captcha system is
circumvented.

Watch carefully the Trojan descritpion on the BitDefender's website. YOu can
see that it is confirmer that it uses EXISTING account

http://www.bitdefender.fr/VIRUS-1000154-fr--Trojan.Spammer.HotLan.A.html

increased internet activity;

TECHNICAL DESCRIPTION:
The trojan reads from http://[BLOCKED]/wemail/index.php a custom script
which it tries to interpret.
The script provides the following main actions:
- logon into an existing email account (@hotmail, @yahoo or @30gigs);
- read from http://[BLOCKED]/base.php coded information about an email to
send (To:, Cc:, Subject:, Body:);
- decode the email and send it;
- try to create new email account(@hotmail, @30gigs, @google);

Email accounts have the following pattern:
- @hotmail.com - swift3409494vlad45@hotmail.com
- @yahoo.com - ClaudiaWilder85@yahoo.com
- @yahoo.com - LeonardFernandez@yahoo.com"

So we are far away from some interpretation, were it is said that the Trojan
creates the email accoutn itself...

http://www.net-actuality.org/news/5666-hotmail-et-yahoo-pris-pour-cible.html

reconnaissance de lettres sur une image avant l'ouverture d'un compte, ce
virus est capable de créer à la volée des comptes mail , jusqu'à « 500
nouveaux comptes sont créés chaque heure » précise Viorel Canja chercheur
chez BitDefender."