New MSN Privacy Threat – ultimatestufff.com

Hi,

Today I was informed of a new Privacy Threat spreaded through MSN.

Offline contacts sends to all online contacts the following link http://ultimatestufff.com/

Let’s see how ultimatestufff works..

At a first analysis dissection we can see that this Webservice is runned surely from
a little private server;

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 345
Date: Sun, 17 Aug 2008 13:04:33 GMT
Server: lighttpd/1.4.19

Because lighttpd is used.

The content of the first page is similar to my previous MSN-Malicious-Website discovery,
indeed we have:

<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>

<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>

</frameset>
</html>

-> abuse.html

<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>

Looks perfectly similar to the previous case, but without java obfuscation.

-> counter.php

<img src=”http://www.ipcounter.de/count.php?u=52572355&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&amp;color=pink&#8221; alt=”” border=”0″ width=0 height=0></a></noscript>

And finally the most intersting, indexx.php that performs a redirection to:

http://www.incentaclick.com/nclick.php?id=14955&cid=3674&sub=newadx

This time the entity of the Webservice is more important, is used a famous service Incentaclick
that installs some Tracking Cookies:

HTTP/1.1 200 OK
Date: Sun, 17 Aug 2008 05:06:08 GMT
Server: Apache
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC367414955=367414955newadx; expires=Tue, 16-Sep-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie3674=14955-newadx; expires=Sat, 15-Nov-2008 05:06:08 GMT; path=/; domain=www.incentaclick.com
P3P: CP=”NOI DSP COR NID”
Content-Length: 184
Connection: close
Content-Type: text/html; charset=UTF-8

And this is the source code:

<html><head><title>Incentaclick Media</title><meta http-equiv=’refresh’ content=”0;url=http://www.perfspot.com/join.asp?LanguageID=1&p=98958&t=14955-newadx“></head><body></body></html>

As you can see there is a Meta Renfresh that redirects (instantly!) the user to another
website:

http://www.perfspot.com/join.asp?languageid=1&p=98958&t=14955-newadx

A common visitor will not see the passage from Incentaclick, but will have its cookies..

Perfspot is a Website that offers a Meeting Service.

It’s interesting to see that during registration the user is asked to provide MSN/Linkedin/Live account, and is this the point where dumb user allows perfspot to reach other users.

Another interesting point is that, after you have completed the registration you’re automatically prompted to a geo-location that corresponds to the location of the Offline user that sent you the Advisory.

Here the Domain Informations for ultimatestufff.com

Domain Informations

ICANN Registrar: ENOM, INC.
Created: 2008-08-15
Expires: 2009-08-15
Updated: 2008-08-15
Registrar Status: clientTransferProhibited
Name Server: DNS1.REGISTRAR-SERVERS.COM (has 94,989 domains)
Name Server: DNS2.REGISTRAR-SERVERS.COM
Name Server: DNS3.REGISTRAR-SERVERS.COM
Whois Server: whois.enom.com

jQuery(‘#registryDataContainer’).show();

Server Data

IP Address: 210.56.53.73
IP Location Hong Kong – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited
Response Code: 200
Domain Status: Registered And Active Website

What to say..I’m a proud paranoid!!!🙂

See you to the next post..

PS: I’m open to job offerings!🙂

7 Responses to New MSN Privacy Threat – ultimatestufff.com

  1. Danny says:

    Some good information here, and I wanted to let people know that it would come in as:
    http://Danny.invite.UltimateStufff.com

    So let’s say my msn is Danny@hotmail.com, it would be that.

  2. Tarcisio Reynes says:

    Okay so it seems you are very knowledgable about these things. I am getting IM’s from an unsigned msn buddy of mine to visit that particular site. So does that mean that my pc is infected by some virus or spam or is it coming from my buddy’s machine?
    And if so, how can I fix it, or report it, or whatever I need to do to make it stop?

  3. evilcodecave says:

    Hi,

    @Danny
    Yes Danny, ultimatestufff creates this fake subdomain just for Social Engineering scopes, has more impact over a basical user😉

    @Tarcisio:
    As written in the subject of this post, this is only Privacy Threat not a Malware Spreading System, so there is no Malware (cooming from that site) into your PC🙂

    Regards,
    Evilcry

  4. Casper says:

    How do you make it go away? I have had two friends from my contacts list tell my that I have sent this message to them. I changed my msn password and cleared all cookies. Is that enough to stop it?

  5. evilcodecave says:

    Hi,

    Change password and clear cookies.

    Regards,
    Evilcry

  6. Tarcisio Reynes says:

    Thank you for the advice

  7. […] New MSN Privacy Threat – ultimatestufff.com « Evilcodecave's Weblog […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: