My infected computer

In these two days I had 3 mails from BankOfAmerica (no-reply@google.com). The body of the mails is:

“We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us.

If this is not completed by September 24, 2007, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

To confirm your Online Banking records click on the following link:
http://<<<censured>>>/www.bankofamerica.com/sslencrypt218bit/online_banking/index.php

Thank you for your patience in this matter.
Bank of America Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

© 2007 Bank of America Corporation. All rights reserved“

Phishing! In the last days there was a large amount of phishing attacks against Bank Of America. There are some kinds of different mails but the result is always the same, they want to steal your account! The 3 mails I got are almost identical, the only difference is the date. I got two mails with “September 22″ and one with “September 24″. Looking on the net there is an example with “September 17″, I fear they’ll send some more in the future. Clicking on the link putted inside the mail you’ll be redirected to this page:

Nothing to say, it looks like an original login page. English is not my native language but I think it’s well translated too. That’s why so many people are falling into this fraud.

What’s behind this page? When I don’t know what’s behind a link I start looking at the page source code. The most interesting code resides inside scripts and lately I’m using Malzilla for this purpose, but there are so many other ways.
Anyway, the link inserted in the mail starts with an hex number and seems like Malzilla is not able to recognize this kind of address. To pass over this problem you only have to convert the address.

A little example: suppose to have a link like http://0×480ECD63 , it will be resolved in http://72.14.205.99/ or better www.google.it for me. The conversion from hexadecimal to decimal is made in this way:
48h = 72
0Eh = 14
CDh = 205
63h = 99

There’s a lot of Javascript in the background, almost all the code is used to check if the user’s details are well formatted. When the user submit a well formatted combination the information are caught, nothing more.

It’s hard to believe but people are falling into this trick again and again……

Just a quick post today. Here’s the tool I mentioned in a previous blog entry. I slightly modified something, but the concept is still the same. I wanted to add something more, but at the moment it’s only a new line in my to-do list…
I don’t think you need a help for using the tool, it’s pretty stupid.

The code was written in few hours, but now I don’t have the time to test it carefully. For any bug/comment/criticism/whatever feel free to contact me.

Download file

I’m a great fan of Miranda, a really nice multi protocol instant messenger. It supports msn, icq, aim, irc and many others. I like it mainly because “Only the most basic features are built in“. I daily use it for talking with my friends on msn and icq and I have never had a single problem with the software.

Just some days ago I discovered a msn feature I’ve never seen before: “Display Hotmail inbox”. It lets you go to your mailbox directly without entering your username and password. Cool but… can someone access my mailbox? I started to investigate a little trying to answer the question. The answer is: yes, it’s sometimes possible to gain Hotmail user’s password!

To view Hotmail inbox, Miranda passes a parameter to your preferred browser. To discover the string you only have to look inside your browser url box. The parameter is something like (the string was split in few lines but it’s a single long string):

https://login.live.com/ppsecure/md5auth.srf?lc=1020&auth=9VN2lfhRZE
hPsSuYC!AVZMtn77NqlTrjfW!J*p**hI0JGBWK!b1Yn5ijbqsqpbGK7bm6dilTFNo5F1yCdX
s1YvMHczdYbSVGjPSCQPHWohkTgCTziqN99LizO1l8!!_RCE&creds=8909d3e9d66
f34e622z6e6ff500mec66&sl=946&username=your_nick@hotmail.com&mode
=ttl&sid=507&id=2&rru=%2fcgi-bin%2fHoTMaiL&svc=mail&js=yes

This is the string used to access the mailbox. Think about this scenario: you are working with your pc and in the meanwhile someone (call him Bob) is running a malware on your machine. You decide to read your (Hotmail) mail using miranda’s msn feature. The malware catches the parameter sending it to Bob’s computer. You are reading your mail and Bob? Bob is reading your mail too…
Another simple example: look inside Firefox’s history tab, the parameter is located somewhere in the list and it’s available for everyone. In a public computer everyone can read the parameter.

It’s not hard to get the string, there are some ways for easily catching the parameter. I decided to drop a question inside Miranda’s developer forum, just to know what they think about this behaviour. They gently reply to me, but they are not thinking to change the option. This is what they told me: “this parameter will change the next time you login. I might change it but there were no plans so far.” Yes, next time it will change but not now, and one could be enough.

The string is composed by some fields, the ‘&’ is used to separate the fields; you’ll surely be able to find informations about this kind of string on the net. At the moment I’m interested in some fields only:
auth=9VN2lfhRZEhPsSuYC!…iqN99LizO1l8!!_RCE
creds=8909d3e9d66f34e622z6e6ff500mec66
username=nick@hotmail.com

Three parts only:
username: contains the user’s mail address
auth: a very long string composed by two parts: a fixed part and a variable part. The variable part is represented by the last 4 bytes of auth string (“_RCE” in the example above). These 4 bytes are not always the same because they depend on the system time.
creds: obtained applying MD5 algorithm to the string formed from auth and password, where password is the user’s hotmail password.

Now you should understand why they told me “this parameter will change the next time you login”. The current session remains available for few minutes; I don’t know exactly, I think from 5 to 10 minutes. Ok, but the question is: “am I able to retrieve a password working a little on these 3 parameters”?
Theoretically, yes, but in practice could be not easy because you have to deal with MD5 hash. The scheme is simple:
MD5(auth+password) = creds
I don’t know any clever approach for the problem so I tried writing a program able to find password using the most stupid approach. You can imagine what kind of approach I’m talking about.

I did a test with 7 friends of mine sending them the program I wrote. 5 of them told me the program was able to find the password in few minutes. I would say it’s a nice result, but it leads me to believe:
1. the approach works
2. they are using short password
It’s all in point number 2, how secure is your password?
Some months ago I read an interesting article about the passwords used by people (too bad I don’t remember the link). There was a nice diagram showing that the large variety of people use short password (from 4 to 7 bytes) without simbols, numbers and capital letters. I bet almost all my friends are using simple password…

I would encourage everyone to use a *strong* password. There are many places around internet explaining how to build a secure password. You can try looking at this one, it’s a password checker from Microsoft and it has a link to a tutorial titled “Strong passwords: how to create and use them”. Try to follow some simple rules instead of using things like:
- your boyfriend/girlfriend/wife/husband name
- your dog name
- your birthday number
and so on… This is a general rule applicable not only to Hotmail and this specific case.

Ok, I’m at the end of this sort of proof of concept. I don’t know if they (Miranda’s developers) have to change something in ‘Display Hotmail inbox’ implementation, maybe it’s only paranoia… I’m curious to see how other IM programs manage this feature, do they have the same problem?

I’ll continue to use Miranda btw, it’s a really nice program!