The what-bot

Late on Monday, a lot of Russian ICQ users got sent this message:

Woland (23:07:23 7/09/2009)
Link to download the file Frogs.rar*********/********/Frogs.html
[– File sent via More details on the site: –]

If you’ve been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you’re going to try and check in some way whether it’s really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone’s come across CAPTCHAs, a reverse Turing test. Of course, if you’re on ICQ, you’re not going to use an image to check who’s on the other side of the screen, but you can ask a challenge question – after all, a computer can’t actually answer questions, can it?

But there’s a problem with this – if you get sent a link to a file, you’re going to automatically ask “What is it?” And this is where it gets interesting: the bot behind the link didn’t have any trouble answering this question.

Yuk(23:07:28 7/09/2009)
What is it?

Woland (23:07:28 7/09/2009)
An optical illusion puzzle funny )

This answer sounds pretty human, so why not download and run the file? The puzzle looks like this:

The frogs are just there to divert your attention. Working out which way they should jump is a nice little time-waster. But while you’re doing that, some malware (we detect it as bundled in the package is quietly stealing your ICQ login and password. And once it’s got those details, your password gets changed, and then the same link starts being sent to all your contacts from your account.

The bot’s not as intelligent as it first seems: it’s only able to answer questions which contain one of the following words: «что», «чо», «чё» , «че» , «шо» , «що» и «чито». (The first is standard Russian for “what” – the others are slang widely used on the Russian Internet.)

The whole thing is a neat little lesson: security doesn’t just depend on checking whether links were really sent by your friends, but also on thinking up challenge questions that no bot could ever answer!

The what-bot

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox