MSN messenger built-in AV

The two things that hackers do is (1) run a debugger so that when a program they use crash (like Firefox or IE) they can figure out why, and (2) run a sniffer so that they can look at their own packets.

While sniffing my MSN connection, I saw a small XML file being transfered from the server. It has a bunch of Policy.Shield.Config.Block elements consisting of regular expressions (the ones I got are listed below). Microsoft blocks messages containing these strings.

Googling items on the list find a bunch of interesting information. To start with, you find links to anti-virus information for trojans/worms/viruses named in the regexp. I also found this story on Slashdot that calls this filtering "censorship" (because, of course, everything that Microsoft does is a conspiracy). This blogger found a much longer list back in August: apparently, Microsoft is constantly editing the list. This other blogger found a different list 12 days ago. the changes found in only a few days suggests that Microsoft is constantly monitoring what's going on, and as threats appear, they quickly move to counter them.

Apparently, Microsoft blocks these patterns on the server. I wonder why this list is sent to the client. Is it so that the client can display the server policy to the user if they are curious? I couldn't find where this list is displayed in the client, although I wasn't looking very hard. The earliest reference to this list I can find is 2005, maybe I need a newer client to display the list.

The items in this list identify "wormable" messages. There are several types of MSN-worms.

One type of a worm would exploit a vulnerability, like this worm from 2002 that exploited an Internet Explorer bug through JavaScript. Microsoft uses/used Internet Explorer to render incoming instant messages, which meant that any IE bug was a potential MSN worm.

Another worm is more like a virus. It sends a file, or a link to a file on a server, to everyone in the MSN buddy list. Once the a victims infect themselves, the program then scans the new buddy list and sends a copy to those friends as well. Thus, the worm spreads from friend to friend, leaving a virus or trojan or botnet behind.

Another worm is even easier. The last filter on the Microsoft list is a simply a website that promises to list all the people who have deleted you as a buddy -- if you just give them your username/password. Of course, what it really does (probably) is send a message to all of your buddies advertising the website. I would guess that it also uses the same login credentials to get into your HotMail or other Windows Live services. My guess is that it's ultimately trying to harvest lists of e-mail addresses, which are worth money in the hacker economy (for use in phishing attacks).

I find attacks interesting because what it teaches us about human nature. Presumably Microsoft added a filter to "blockdelete.com" because it was being effective. This means a lot of people are insecure about being removed from a buddy's buddy list.


\.pif
\.scr
miralafoto/foto\.exe
tufoto
verti2/fantasma\.zip
imp\.exe
bush-gracioso\.exe
get-messenger
album\.zip
photos\.zip
2nnvc7
blockinrio
messaging-names
images\.zip
myalbum2007\.zip
img301\.zip
img1756\.zip
hoto234\.zip
pic\.zip
g038_jpg\.zip
secretimages56\.zip
love33\.zip
monica\.zip
img-0012\.zip
imag091307\.zip
pic1273\.zip
img-3773\.zip
img-6434\.zip
img-8197\.zip
img-0950\.zip
picts-7053\.zip
pictura002
mypictures\.zip
image25\.zip
pics\.zip
msn-check-contacts-54\.tk
blockdelete\.com