Incidents

The what-bot

Late on Monday, a lot of Russian ICQ users got sent this message:

Woland (23:07:23 7/09/2009)
Link to download the file Frogs.rar
http://file.qip.ru/file/*********/********/Frogs.html
[– File sent via file.qip.ru. More details on the site: http://file.qip.ru –]

If you’ve been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you’re going to try and check in some way whether it’s really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone’s come across CAPTCHAs, a reverse Turing test. Of course, if you’re on ICQ, you’re not going to use an image to check who’s on the other side of the screen, but you can ask a challenge question – after all, a computer can’t actually answer questions, can it?

But there’s a problem with this – if you get sent a link to a file, you’re going to automatically ask “What is it?” And this is where it gets interesting: the bot behind the link didn’t have any trouble answering this question.

Yuk(23:07:28 7/09/2009)
What is it?

Woland (23:07:28 7/09/2009)
An optical illusion puzzle funny )

This answer sounds pretty human, so why not download and run the file? The puzzle looks like this:

The frogs are just there to divert your attention. Working out which way they should jump is a nice little time-waster. But while you’re doing that, some malware (we detect it as Hoax.Win32.IMPass.al/ Hoax.Win32.IMPass.am) bundled in the package is quietly stealing your ICQ login and password. And once it’s got those details, your password gets changed, and then the same link starts being sent to all your contacts from your account.

The bot’s not as intelligent as it first seems: it’s only able to answer questions which contain one of the following words: «что», «чо», «чё» , «че» , «шо» , «що» и «чито». (The first is standard Russian for “what” – the others are slang widely used on the Russian Internet.)

The whole thing is a neat little lesson: security doesn’t just depend on checking whether links were really sent by your friends, but also on thinking up challenge questions that no bot could ever answer!

The what-bot

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox