Archive for July, 2009

As I already reported in the past, MessenPass, my password recovery tool for Messenger applications, is falsely detect as Virus/Trojan/Malware by many Antivirus programs.

Currently, according to this virustotal report, 18 out of 41 Antivirus programs shows a virus alert for MessenPass utility.

So I decided to make a nice test. I took the same code of MessenPass, and recompiled it with different compiler optimization options.
I also left it without UPX compression that I usually do with all my utilities.
I posted the new build of MessenPass for testing in VirusTotal Web site, and here’s the amazing result:

Only 2 out of 41 Antivirus programs trigger a virus alert for the new build of MessenPass.
Just to be clear – It’s still the same version of MessenPass (v1.26) like the original MessenPass with the 18 Antivirus alerts.
I simply compiled the same code of MessenPass with different compiler options.
avoiding from UPX compression also helped a little, because after compressing the same file with UPX, I got 5 virus alerts.

Currently, this build of MessenPass is only posted in this blog, while the I left the original build in the MessenPass Web page.
It’s interesting to see whether the Antivirus companies read or scan my blog.
If they do, the number of virus alerts in this MessenPass build will increase very soon…

After a few hours with the new ‘who loves you’ scam Web site, msn-blocked Web site once again redirect all users to msnpass.info
But now msnpass.info shows a new screenshot of password-recovery software, instead of the screenshot of MessenPass. I don’t know if this screenshot is based on a real existing software, or it’s just a completely fake screenshot created by msnpass.info owner.

Finally, the owner of msnpass.info decided to stop selling my MessenPass software.
The Web page of msnpass.info still exists, but all visitors of msn-blocked.com are now redirected to a new Web site that is hosted in the same IP addresses of msnpass.info
The new Web site is oh-love.me, and like msnpass.info, it’s hosted with multiple host names, like http://d.oh-love.me, http://c.oh-love.me, http://b.oh-love.me, and others.

This Web site is also in french, so I used Google Translator to find out what exactly this Web site offer the users, and here’s the result:
Welcome to oh-love.me, You always wanted to be able to read minds of others? Power who secretly pinching for you? Your dream will come true soon! With oh-love.me, you will be able to know the name of the boy or girl who secretly loves you! It’s super easy, you simply send an SMS that you will be shown by clicking on the flag of your country. By entering the code magic optenu on the site, you immediately know the name of your claim or your pr?tendante secret!

I don’t know what exactly the users get when they send the SMS, but there is no any utility in NirSoft Web site that can do that 🙂

Also, Firefox/Google blocked the entire domain of msn-blocked.com, so now all the Firefox visitors are redirected to msn-block.info domain (like s502.msn-block.info and many others)
while the users of Internet Explorer are still redirected to msn-blocked.com domain, because IE doesn’t block them.

It looks like whoever is behind these scams, works around the clock just to keep them alive…

And just more good news… I received another email from Allopass, and now they say that they are going to cut the account that was used for selling my MessenPass software.
I guess that even after closing the Allopass account, the scam owner won’t give up, and will open a new account in Allopass or in other similar payment company.

msn-blocked.com and msnpass.info are a pair of scam Web sites in french that are extermly active in the last few weeks.
The first one, msn-blocked.com – asks innocent users to type their MSN user/password, and then floods all their contacts with fake instant messages that invite them to join msn-blocked Web site, and enter their user/password too.
The second one, msnpass.info – offer the users of msn-blocked.com to purchase the MessenPass utility of NirSoft through the SMS payment system of allopass.com, misleading french users that don’t know that this utility is available for free at www.nirsoft.net.

As I already reported in my previous posts, these Web site were hosted in ovh.net hosting company, but in the last few days the owner of these scams moved most of the servers into another hosting company – EURO-WEB Servers renting, which is also an hosting company in France. Although most of the activity moved to the new hosting company, some of the servers are still active in the previous hosting company – ovh.net

The host names in the new hosting company are:
a.msnpass.info
b.msnpass.info
c.msnpass.info
d.msnpass.info
e.msnpass.info
f.msnpass.info
a2.msn-blocked.com
b2.msn-blocked.com
c1.msn-blocked.com
d1.msn-blocked.com
f5.msn-blocked.com

…And there are possibly more…

Ridiculous Answer From Allopass.com

I the previous post, I reported that there was no answer from Allopass payment company that is used as a part of msnpass.info/msn-blocked.com scam.
So after a while, they sent me their ridiculous answer to my complaint about these scams, and here’s the quote from their response:
Please apologize for this late answer. As a payment system provide, Allopass is not entitled to take side in this kind of dispute. However, we just notified the publisher of http://www.msnpass.info/ of your complaint, and now look forward to his reply.

So Allopass don’t want to “take side” in this issue, but they actually enjoy to take their side in sharing the revenue with msnpass.info owner.
Each time that a new innocent victim pays for my MessenPass software in msnpass.info Web site, Allopass company also get their side in the SMS revenue, together with msnpass.info scam owner.
But the main problem with msnpass.info is not the action of illegally selling NirSoft software, but the fact that this Web site get all the traffic by spamming the MSN Messenger accounts of innocent people with fake messages generated by msn-blocked.com Web site.

As you can see from Alexa ranking, the traffic of msn-blocked.com Web site continue to grow, and in the last days the it reached to a new record:

most of the traffic of msn-blocked.com comes from countries with french speakers – France, Belgium, Switzerland, and a few more.

How This Scam Works

If you still don’t understand how exactly this scam works, and how these scam Web sites get so much traffic, here’s a simple explanation of the viral spreading made in these Web sites.
For the examples below – User X, User Y, and User C are french speakers that constantly use MSN or Live Messenger to chat with their friends.

  1. User X get an instant message in MSN from his good friend, User Y, that recommend him to visit msn-blocked.com Web site (And User X doesn’t know yet that this is fake message generated by msn-blocked.com Web site)

  2. User X Visit msn-blocked Web site and put his MSN user name and password, assuming that it’s a safe Web site, because User Y, his good friend that he trust, sent him to this site.


  3. After giving his MSN user name/password to msn-blocked, this Web site connect to the MSN account of User X, and send fake instant messages to all his contacts !!
  4. Now User C, D, E, F, and others, which are in the contacts list of User X, receive the fake invitation message from User X, and some of them, like User X, do the same mistake, and go to msn-blocked Web site and give their user name/password.
  5. In the User X side, msn-blocked page is loaded and display his contacts list for a few seconds.
  6. After a few seconds, the Web site is suddenly redirected to www.msnpass.info Web site.
  7. www.msnpass.info Web site offers User X to download my MessenPass Software by using the SMS payment system of allopass.com
    User X still doesn’t know that all his contacts received the fake instant messages in his name, and he think that msnpass.info is good Web site recommended by his friend, and of course, User X doesn’t know that MessenPass utility is available to download for free at NirSoft Web site.
  8. User X send an SMS and get the code for downloading my MessenPass Software, assuming that User Y recommeneded him to do so.

  9. When User X send the SMS, the payment is shared between the scam owner, Allopass payment company, and the phone company.
  10. After a while, User C, a friend of User X, ask him about the link he sent him earlier.
    User X doesn’t remember that he sent any link to User C, and he start to understand that msn-blocked.com sent fake messages to all his contacts.
    But it’s already too late. Some of the User X contacts, the received the same fake invitation message, already gave their MSN user/password, and continued the viral spreading of msn-blocked scam.
  11. User X, angry about the embarrassment that this Web site caused him, browse into msn-blocked.com link again, and report it as ‘Web Forgery’ from the Web browser interface.
    After a while, the Web address reported by User X will be blocked by Firefox/Google and other Web site blockers, but it won’t help much to the next victims, because the scam owner constantly modifies the Web site address. For example: If User X, received the Web site address as s12.msn-blocked.com, the next victims will get a new address like s35.msn-blocked.com, and thus it won’t be blocked for the next victims.

  12. The owner of mspass.info and msn-blocked sites, accumulates more and more money from the SMS system, allowing him to pay more for the hosting services and to extend his scam Web sites to more servers.
  13. Due to the nature of “viral spreading” like in this scam, the number of users visit these sites grows exponentially, and the scam owner rent more and more servers in order serve all the site “visitors”.
    The scam owner probably relies on payments from Allopass system for paying the new hosting servers.
  14. Allopass company also enjoy the scam of msnpass.info, and get their part of the revenue, without caring about the nasty way that the visitors are sent into msnpass.info Web site, and without caring about violation of my intellectual property rights, even if it’s against their own conditions of use.
  15. It’s possible that all MSN user/passwords provided by users in msn-blocked Web sites, are collected into a large database of passwords for using it later for
    identity theft and other crimes.

That’s all for now.

You are welcome to add your comment about Allopass behaviour in this matter, and whether they should continue to provide their payments services for the nasty scam Web sites that I described above.

LiveContactsView is a new utility that allows you to easily view all your contacts stored by
Windows Live messenger, inside the contacts.edb database.
Like in all NirSoft utilities, you can select the desired contacts and export them into text,csv,html, and xml file, or you can copy them to the clipboard and paste into a spreadsheet application.

LiveContactsView is available to download from here.

As I predicted in my previous post about MessenPass false positives , the number of false positives alerts in the new version of MessenPass increased to 17, according to VirusTotal report.

The new false alerts are:

a-squared – Trojan.Generic!IK
AntiVir – SPR/PSW.Messen.DC
Antiy-AVL – PSWTool/Win32.Messen.gen
Comodo – UnclassifiedMalware
Fortinet – HackerTool/Messen
McAfee-GW-Edition – Riskware.PSW.Messen.DC
ViRobot – Not_a_virus:PSWTool.Messen.64512.B

A few days ago, I released a new version of MessenPass. According to VirusTotal Web site, so far there are only 10 Antivirus programs that detect a threat or infection inside mspass.zip:

If you wonder what is the reason that I say the word ‘Only’, that’s because the previous of MessenPass (v1.24) has false alerts in 25 Antivirus programs:

The reason of the False Positive decrease is probably because most Antivirus programs don’t find the bytes sequence that they used to detect the previous version of MessenPass.
Unfortunately, in the next days/weeks, these Antivirus companies will probably add the new MessenPass into their database, and the number of false alerts will increase back to around 25.
In the next few days, I’ll watch closely the changes in MessenPass false positives, and I’ll post an update when the number of false alerts significantly increase.

A few weeks ago, I wrote about the troubles I have from all these false virus alerts generated by Antivirus programs.
So here’s 2 more examples of serious troubles that McAfee false positives caused to other companies:

  1. McAfee false-positive glitch fells PCs worldwide When AV attacks:
    In this event, that occurred only 10 days ago, McAfee Antivirus “attacked” some system files that were falsely detected as Trojan, and caused
    these computers to crash with blue screen of death.
  2. Companies Struggle To Reverse McAfee’s False Positives On Yahoo Search:
    Around a year ago, Yahoo started a partnership with McAfee’s SiteAdvisor, causing some Web sites to be displayed with false red alerts on Yahoo search results.

…And finally, just a good word for McAfee SiteAdvisor: Although they have some false alerts problems like mentioned in the second article, at least they also show a good willingness to fix these kind of problems. 3 years ago, their SiteAdvisor was displayed a red alert on my Web site, but after I added my remark as the author of NirSoft, they checked my Web site and decided to turn it from red to green.
As opposed to SiteAdvisor, the Antivirus of McAfee is a troublemaker like all the others, and continue to detect my utilities as “potentially unwanted program” or “Generic PUP”.

After digging more into the MsnPass.Info scam that I reported in previous posts, I found out that this scam is a only part of possibly a larger scam that may involve in collecting emails and passwords of french users.

msn-blocked.com is a Web site that offers french users to find out who block their msn messenger user. In order to use this “service”, the users are required to provide their MSN user name and password.
Currently, it has at least 3 active servers: http://s601.msn-blocked.com/, http://s502.msn-blocked.com, http://s12.msn-blocked.com
There are some other addresses that already blocked by Firefox with “Reported Web Forgery!” message (For example: http://s11.msn-blocked.com), probably after users reported that it’s a phishing site.
But every time that a Web address is blocked, the scam owner simply replace it with a new server name.

This Web site has a terms and conditions in french, so I used the ‘Google Translate’ tool for translating them to English, and that’s what they say: “The site aims to provide you with tools to identify people who you are blocked and / or removed from their list of contacts on MSN or Windows Live Messenger. In return you grant this site (MSN-blocked.com) to include your email address in mailing lists marketing.”
In other words, the Web site owner says that he collect every email entered by the user for spamming purposes.

Just for a test, I tried to create a new MSN account (I wouldn’t give my real user name/password for criminals) and use them in http://s12.msn-blocked.com/ Web site.
After I did it, The Web site showed it’s connecting to the MSN server, and than it redirected me to a page with a few french words that I don’t understand. A few seconds later, it redirected me again… to mspass.info Web site.
So after I gave my user name/password to the Web site owner, he simply offer me to buy my own utility through SMS/phone system of allopass.com.
In the beginning, both msnpass.info and msn-blocked.com were hosted in the same server, but now each of these Web site is hosted in 3 – 4 separated servers.

There are 2 other things to concern:
1. This Web site (msn-blocked.com) may also collect that passwords of each user that uses this service, and that’s really bad, especially when we already know that the owner is a thief that sell the software of others.

2. With the MSN user name/password, the Web site owner can collect the email addresses of all the contacts of the user – for spamming purposes.

But the most concerning thing in this scam is the large amount of traffic the scam owner managed to receive.
I have already seen many scam Web sites in my life, but scale of this scam is really unusual.
Both Alexa and radarurl.com (a widget added by scam owner to watch the number of online users) displayed exterme amount of traffic in the last
few days.
radarurl.com already removed msnpass.info and msn-blocked.com sites (Maybe because the owner of radarurl.com found out about this scam), but before they were removed, it was displaying around 100-200 online users for each server (around 1000 online users for all servers together) in the peak hours.

In Alexa, the traffic rank of msn-blocked.com is around 8000 in the last few days, which is very high for a Web site that established only 3 weeks ago.

Moreover, it seems that the scam owner have at least 8 dedicated servers (4 for msnpass.info and 4 for msn-blocked.com) which implies that it’s really a major scam. The scam owner wouldn’t pay for 8 dedicated servers unless there is something huge behind that.

As I already reported, I tried to contact both ovh.com hosting and the payment company (allopass.com) by email and from their Web site contact forms, but with no success.
They simply don’t answer – I don’t know if they simply don’t understand English or they don’t really care that their services are used for fraud activities.
Unfortunately, I don’t live in france and I don’t speak french, so I cannot do anything else to shut down this scam.

If you live in france and/or you can talk in french, you may try to call this ovh.com company, get to the right department, and tell them about scam of msn-blocked.com and msnpass.info.

If no one will do something about this scam, these criminals will continue to collect more and more msn emails/passwords and to make money from selling my software.
In the end, they’ll have a nice amount of money in the bank, and a large user/password database that will allow them to do many other terrible things.

Finally, here’s a small explanation about how these Web sites get all the traffic:
Each time that a use put his user name and password into msn-blocked.com, this Web site send a live message in french to all the contacts of the user:

The message is sent in the name of the user that gave his user name/password, and invite all contacts to check the Web sites of MsnPass.Info or msn-blocked.com
The users that receive this message think that it as came from their messenger friend, and thus many of them browse into this Web site, login with their user/password, and cause this viral spreading to continue.

Since my last post about the MsnPass.Info Scam, the owner of this scam extended the Web site, and now there are 3 new dedicated servers – 2.msnpass.info, 3.msnpass.info, and 4.msnpass.info
These new servers are hosted in same hosting company – http://www.ovh.com, although I already reported them about the scam. I seems that they don’t really care that their services are used for fraud activities.

The main server (www.msnpass.info) is used for randomly redirecting the user to one of the other 3 servers, probably to avoid server overload.
In the last few days, this Web site has extreme amount of traffic, as you can see from this Alexa report:

In fact, for some of these days, this Web site received more traffic than the entire NirSoft Web site, despite the fact that it contains only a single page in french. This amount of traffic for one-page Web site cannot be “natural”. The scam owner probably uses spam messages and other bad techniques in order to get this volume of traffic.

msnpass.info displays a download counter inside the landing page, saying that more than 800,000 already downloaded it. I don’t believe that this download counter is really the truth.
It’s more likely that this number represents the number of page views.
Assuming that this number represents the number of page views, and even if only low percentage of the users actually payed and downloaded my software, it possible that the scam owner and allopass.com (the payment company) already generated an income of more than 100,000 Euro from this scam.