Security Risk in Live Messenger Build 14.0.8064.206

Hi there,

I've just come across a security risk in live messenger which is enabling a
worm to travel around pretty quickly on the service. Basically all someone
has to do is click on the the links sent by one of their contacts and BAM,
you're infected, it will then sent itself to your own contacts.

An example of such messages....

----

come chat with me here waiting for you....

http://<msnusername>.flick-photoz.com/

----

Hey!
http://www.adultdatezzzz.com/chat.php

----

Come chat with lots of singles for FREE !!
I am to be found here from now on:

http://<msnusername>.soulmateseekerz.com/adultchat.php brb

----

replace <msnusername> for the first part of your live ID, i.e.
>bob<@msn.com

I've just witnessed this transfer itself between 2 MSN clients, thankfully
neither of which were mine.

I'm not sure that this is a Live Authentication security flaw as even after
closing Live Messenger it remains open sending messages, the only way to
stop it completely is to terminate it via task manager. The next time you
restart messenger it will start again. I've suggested resetting the Live ID
of the effected accounts and will report as to whether that works or not!

Nick.

Resetting the Live ID password fixes it.

"nak" <> wrote in message
news:9698E26C-6B41-40C0-B6D9-...
> Hi there,
>
> I've just come across a security risk in live messenger which is enabling
> a worm to travel around pretty quickly on the service. Basically all
> someone has to do is click on the the links sent by one of their contacts
> and BAM, you're infected, it will then sent itself to your own contacts.
>
> An example of such messages....
>
> ----
>
> come chat with me here waiting for you....
>
> http://<msnusername>.flick-photoz.com/
>
> ----
>
> Hey!
> http://www.adultdatezzzz.com/chat.php
>
> ----
>
> Come chat with lots of singles for FREE !!
> I am to be found here from now on:
>
> http://<msnusername>.soulmateseekerz.com/adultchat.php brb
>
> ----
>
> replace <msnusername> for the first part of your live ID, i.e.
> >bob<@msn.com
>
> I've just witnessed this transfer itself between 2 MSN clients, thankfully
> neither of which were mine.
>
> I'm not sure that this is a Live Authentication security flaw as even
> after closing Live Messenger it remains open sending messages, the only
> way to stop it completely is to terminate it via task manager. The next
> time you restart messenger it will start again. I've suggested resetting
> the Live ID of the effected accounts and will report as to whether that
> works or not!
>
> Nick.
>

is this something new or is it something that has been around before....if
they are unusual links you don't click on them anyway. if you have any doubts
ack the contact who sent them :s
--
Four Generations Of Trust And Betrayal...One Legacy

Skywolfe


"nak" wrote:

> Resetting the Live ID password fixes it.
>
> "nak" <> wrote in message
> news:9698E26C-6B41-40C0-B6D9-...
> > Hi there,
> >
> > I've just come across a security risk in live messenger which is enabling
> > a worm to travel around pretty quickly on the service. Basically all
> > someone has to do is click on the the links sent by one of their contacts
> > and BAM, you're infected, it will then sent itself to your own contacts.
> >
> > An example of such messages....
> >
> > ----
> >
> > come chat with me here waiting for you....
> >
> > http://<msnusername>.flick-photoz.com/
> >
> > ----
> >
> > Hey!
> > http://www.adultdatezzzz.com/chat.php
> >
> > ----
> >
> > Come chat with lots of singles for FREE !!
> > I am to be found here from now on:
> >
> > http://<msnusername>.soulmateseekerz.com/adultchat.php brb
> >
> > ----
> >
> > replace <msnusername> for the first part of your live ID, i.e.
> > >bob<@msn.com
> >
> > I've just witnessed this transfer itself between 2 MSN clients, thankfully
> > neither of which were mine.
> >
> > I'm not sure that this is a Live Authentication security flaw as even
> > after closing Live Messenger it remains open sending messages, the only
> > way to stop it completely is to terminate it via task manager. The next
> > time you restart messenger it will start again. I've suggested resetting
> > the Live ID of the effected accounts and will report as to whether that
> > works or not!
> >
> > Nick.
> >

> is this something new or is it something that has been around before....if
> they are unusual links you don't click on them anyway. if you have any
> doubts
> ack the contact who sent them :s

" I've just witnessed this transfer itself between 2 MSN clients, thankfully
neither of which were mine."

And that doesn't stop this being a security risk and it doesn't stop the
fact that this is spreading like wild fire on the network at current.

Look at it like this, if Microsoft have removed the most recent API for
messenger so I can't even make a simple Add-in that enables me to automate
message replies etc. then how on earth is this thing doing it? It's
obviously a security risk, and if it requires a change of password then it's
a pretty big security risk.

With that said it obviously needs to be addressed lol!

Nick.

Hi there,

I've just come across a security risk in live messenger which is enabling a
worm to travel around pretty quickly on the service. Basically all someone
has to do is click on the the links sent by one of their contacts and BAM,
you're infected, it will then sent itself to your own contacts.

click the link and you are infected.... seems to me this has been going on
for a while now. I have gotten links like that on 8.5 and this version as
well. but the way you are making it sound it as though all you have to do is
log into messenger and you are infected... if it is in the link. don't click
the link which is why I said ask the contact first... and in some cases it
has to be removed via malwarebytes and other programs to get the infection
off of there. have had that happen to a friend recently. then you can reset
the password.
--
Four Generations Of Trust And Betrayal...One Legacy

Skywolfe


"nak" wrote:

> > is this something new or is it something that has been around before....if
> > they are unusual links you don't click on them anyway. if you have any
> > doubts
> > ack the contact who sent them :s
>
> " I've just witnessed this transfer itself between 2 MSN clients, thankfully
> neither of which were mine."
>
> And that doesn't stop this being a security risk and it doesn't stop the
> fact that this is spreading like wild fire on the network at current.
>
> Look at it like this, if Microsoft have removed the most recent API for
> messenger so I can't even make a simple Add-in that enables me to automate
> message replies etc. then how on earth is this thing doing it? It's
> obviously a security risk, and if it requires a change of password then it's
> a pretty big security risk.
>
> With that said it obviously needs to be addressed lol!
>
> Nick.
>
>

> I didn't SAY THAT YOU CAN TELL SOMEONE TO CLICK ON A LINK DID I No I
> don't
> know anything about software development because for one thing I know
> nothing
> about it. WHAT I AM SAYING is that this has been going on for oh I dunno
> months now? and you are just now discovering this? I am sorry if maybe I
> am
> missing the point on this here but YES I DO READ. and just how is it
> possible to block a domain when you have no clue what the domain is? the
> links are different each time.... I do agree that things could probably be
> patched against it but it would be finding where the problem ORIGINATES in
> the first place that would be hard to track in the first place. and if
> asking questions or possibly being concerned about something is not
> "intelligent" in your eyes then I am deeply sorry.

WTF? You quite clearly told me not to click on the link.

I had already said twice that I hadn't clicked the link, 2 of my contacts
had. So get your facts straight. You then told me to tell them to not
click the link, want proof?

"... if it is in the link. don't click the link..."

It's pretty black and white, and I did not say you merely log into
messenger, I said once the link is clicked, that's it until you have changed
your credentials. I have contacts who restart their PC and the problem
persists, so it's quite evidently a major security flaw. Which you aren't
prepared to try and resolve because you think it's impossible to fix, hence
why you lack intelligence.

Oh wow, so you have been experiencing this for months now and not at least
attempted to have anything done about it which is exactly what I'm trying to
do.

Yes it can be stopped, here are a number of ways,

1. A security mode option, low security would allow all URLS through, tight
security would only allow trusted domains through. A domain would be trused
after you have allowed it through.
2. A way of reporting URLS that are malicious, the URLS could then be
investigated by MSN staff who don't mind having their account credentials
stolen from under their feet.
3. CAPTCHA verification upon attempting to send an URL, no matter how anal
it sounds it would of stopped this issue from ever occurring.

I'm not sure how you use the newsgroup but it clearly isn't for attempting
to improve the product.

You haven't shown any concern in the slightest, you told me not to click the
link, next you will be teaching your grandmother how to suck eggs. I was
reporting a security risk, if this is not something you deal with then
ignore the post, there are no prizes here.

lol!1 I have nothing to do with the formation of anything or FIXING of
anything I am a user the same as you are....if that is a problem then I am
sorry for answering to a post.
--
Four Generations Of Trust And Betrayal...One Legacy

Skywolfe


"nak" wrote:

> > I didn't SAY THAT YOU CAN TELL SOMEONE TO CLICK ON A LINK DID I No I
> > don't
> > know anything about software development because for one thing I know
> > nothing
> > about it. WHAT I AM SAYING is that this has been going on for oh I dunno
> > months now? and you are just now discovering this? I am sorry if maybe I
> > am
> > missing the point on this here but YES I DO READ. and just how is it
> > possible to block a domain when you have no clue what the domain is? the
> > links are different each time.... I do agree that things could probably be
> > patched against it but it would be finding where the problem ORIGINATES in
> > the first place that would be hard to track in the first place. and if
> > asking questions or possibly being concerned about something is not
> > "intelligent" in your eyes then I am deeply sorry.
>
> WTF? You quite clearly told me not to click on the link.
>
> I had already said twice that I hadn't clicked the link, 2 of my contacts
> had. So get your facts straight. You then told me to tell them to not
> click the link, want proof?
>
> "... if it is in the link. don't click the link..."
>
> It's pretty black and white, and I did not say you merely log into
> messenger, I said once the link is clicked, that's it until you have changed
> your credentials. I have contacts who restart their PC and the problem
> persists, so it's quite evidently a major security flaw. Which you aren't
> prepared to try and resolve because you think it's impossible to fix, hence
> why you lack intelligence.
>
> Oh wow, so you have been experiencing this for months now and not at least
> attempted to have anything done about it which is exactly what I'm trying to
> do.
>
> Yes it can be stopped, here are a number of ways,
>
> 1. A security mode option, low security would allow all URLS through, tight
> security would only allow trusted domains through. A domain would be trused
> after you have allowed it through.
> 2. A way of reporting URLS that are malicious, the URLS could then be
> investigated by MSN staff who don't mind having their account credentials
> stolen from under their feet.
> 3. CAPTCHA verification upon attempting to send an URL, no matter how anal
> it sounds it would of stopped this issue from ever occurring.
>
> I'm not sure how you use the newsgroup but it clearly isn't for attempting
> to improve the product.
>
> You haven't shown any concern in the slightest, you told me not to click the
> link, next you will be teaching your grandmother how to suck eggs. I was
> reporting a security risk, if this is not something you deal with then
> ignore the post, there are no prizes here.
>
>
>

> lol!1 I have nothing to do with the formation of anything or FIXING of
> anything I am a user the same as you are....if that is a problem then I am
> sorry for answering to a post.

I know that! lol! I never thought you were. But you were trying to stop me
from proceeding any further with getting the problem resolved by saying it's
the users fault for clicking the link. That's my only problem with your
reply.

It's nothing personal

lol ok. you did bring up a good point in that post though of making it to
where links could be reported. but it would still be finding the exact
location to where it would be comming from because it seems like they are
popping up everywhere these days. and the links change everytime. I think
when I was first hearing about this it was going around as a file transfer.
and that was back on I am gonna say either 8.1 or 8.5 not real sure.
--
Four Generations Of Trust And Betrayal...One Legacy

Skywolfe


"nak" wrote:

> > lol!1 I have nothing to do with the formation of anything or FIXING of
> > anything I am a user the same as you are....if that is a problem then I am
> > sorry for answering to a post.
>
> I know that! lol! I never thought you were. But you were trying to stop me
> from proceeding any further with getting the problem resolved by saying it's
> the users fault for clicking the link. That's my only problem with your
> reply.
>
> It's nothing personal
>
>

Greetings Nak,

Could you provide more information? Windows version, IE (or whichever browser is being used)
version, Messenger version.

I setup a test environment here with Windows XP and a few Messenger versions and at no point
was Messenger compromised, nor the browser.

Messenger's API can't be accessed by anyone through IE except Microsoft sites and with the
latest versions, it's even made more difficult.

With an up-to-date system, you would actually need to download and execute something.

May I enquire what you meant by "reset" the Live ID -- do you mean the Live ID password? If
so, are you suggesting that it grabs your Live ID credentials (which is possible if there is
a program executing in the user's profile), then using those credentials to sign in and send
messages (also possible, as of Messenger 2009, although this would be the first time I've
seen that used for malware)?

Thanks!

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger
MSN Messenger/Windows Messenger
MessengerGeek Blog: http://www.messengergeek.com
Messenger Resources: http://messenger.jonathankay.com
(c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
--

"nak" <> wrote in message news:9698E26C-6B41-40C0-B6D9-...
> Hi there,
>
> I've just come across a security risk in live messenger which is enabling a worm to travel
> around pretty quickly on the service. Basically all someone has to do is click on the the
> links sent by one of their contacts and BAM, you're infected, it will then sent itself to
> your own contacts.
>
> An example of such messages....
>
> ----
>
> come chat with me here waiting for you....
>
> http://<msnusername>.flick-photoz.com/
>
> ----
>
> Hey!
> http://www.adultdatezzzz.com/chat.php
>
> ----
>
> Come chat with lots of singles for FREE !!
> I am to be found here from now on:
>
> http://<msnusername>.soulmateseekerz.com/adultchat.php brb
>
> ----
>
> replace <msnusername> for the first part of your live ID, i.e.
> >bob<@msn.com
>
> I've just witnessed this transfer itself between 2 MSN clients, thankfully neither of which
> were mine.
>
> I'm not sure that this is a Live Authentication security flaw as even after closing Live
> Messenger it remains open sending messages, the only way to stop it completely is to
> terminate it via task manager. The next time you restart messenger it will start again.
> I've suggested resetting the Live ID of the effected accounts and will report as to whether
> that works or not!
>
> Nick.