Hotlan Trojan defeats captcha

Hotlan Trojan defeats captcha

Summary: Antivirus vendor BitDefender believes that a new Trojan is able to circumvent the 'captcha' verification process in Hotmail and Yahoo mail to create spamming accounts

SHARE:
TOPICS: Security
1
A new Trojan horse that sends spam through Hotmail and Yahoo email accounts has antivirus companies worried that the commonly used "captcha" system, used to prove new members are real people, may have been compromised.

Captcha systems typically use a selection of alphanumeric characters that have been distorted and presented in a graphic with other elements designed to confuse character-recognition software. The idea is that, as only a person can read it and type in the correct sequence, spam bots and other malware can be stopped from automatically setting up accounts.

The new threat was highlighted on Thursday by BitDefender Labs, which has dubbed it Trojan.Spammer.HotLan.A.

"The Trojan uses automatically generated accounts, suggesting that spammers have found a way to bypass the captcha systems," the company said in a statement.

Every active copy of the Trojan accesses an account, then pulls encrypted spam emails from a website, decrypts them and sends them to (presumably valid) addresses taken from yet another website, BitDefender continued.

Viorel Canja, head of BitDefender's antivirus labs, said there are "only" about 500 or so new accounts being created in this attack every hour, and 15,000-plus Hotmail accounts had already been used.

Yahoo could not be immediately contacted for comment.

The spam email currently being distributed is trying to lead users to a site that advertises pharmacy products. Common spammer techniques are used in the email body, added BitDefender.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • The creation of email accounts is probably semi-automatic

    In my humble opinion, captcha is not circumvented: the creation of email accounts is semi-automatic:

    Explanation:

    1) Seen on http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

    BitDefender declares :
    "Viorel Canja, head of BitDefender's anti-virus labs, said there are "only" about 500 or so new accounts being created in this attack every hour , and 15,000-plus Hotmail accounts had already been used.

    I think that the attack could be semi-automatic: automatique resgistration, automatic display of the captcha in a simple GUI, MANUAL entry of the captcha value, automatic validation, and so on.


    500 email account per hour is one every 7 seconds: just enough for a person to enter a captcha value on the keyboard.
    To the rythm, you only have to pay a few dollar some "dumb" people to do the job.


    2) Some interpretation of the BitDefender's declaration are not always objective:


    Seen on http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62027948-39000005c

    BitDefender declares:
    "The Trojan uses automatically generated accounts, suggesting that spammers have found a way to bypass the captcha systems," the company said in a statement.

    => "Uses" => account are already generated. "Automatically" and "suggesting" are confusing:

    there is no proof that the accounts creation is automatic (500/hour is very few for an automatic process) => no proof that the captcha system is circumvented.


    Watch carefully the Trojan descritpion on the BitDefender's website. YOu can see that it is confirmer that it uses EXISTING account

    http://www.bitdefender.fr/VIRUS-1000154-fr--Trojan.Spammer.HotLan.A.html

    " SYMPTOMS: There aren't any obvious symptoms of this malware, except increased internet activity;

    TECHNICAL DESCRIPTION:
    The trojan reads from http://[BLOCKED]/wemail/index.php a custom script which it tries to interpret.
    The script provides the following main actions:
    - logon into an existing email account (@hotmail, @yahoo or @30gigs);
    - read from http://[BLOCKED]/base.php coded information about an email to send (To:, Cc:, Subject:, Body:);
    - decode the email and send it;
    - try to create new email account(@hotmail, @30gigs, @google);

    Email accounts have the following pattern:
    - @hotmail.com - swift3409494vlad45@hotmail.com
    - @yahoo.com - ClaudiaWilder85@yahoo.com
    - @yahoo.com - LeonardFernandez@yahoo.com"



    So we are far away from some interpretation, were it is said that the Trojan creates the email accoutn itself...

    http://www.net-actuality.org/news/5666-hotmail-et-yahoo-pris-pour-cible.html

    " En d
    secumind