A Malware Retrospective: IceCold and the Era of MSN Hack Tools
Foreword
In previous articles from the Malware Retrospective series, we delved into the fascinating world of iconic remote access trojans (RATs), exploring the story behind these infamous programs of the late 1990s and early 2000s. Through exclusive testimonies from their respective creators — some of whom accepted to emerge from obscurity decades after their most notable projects.
The Malware Retrospective series aims not only to refresh memories for those who lived through that unique era but also to offer a window into a world that today’s younger generations of cyber enthusiasts never had the chance to experience.
This series usually focuses on one specific iconic remote access trojan (RAT) and its author. This time, while waiting for the next article currently in preparation, this first special issue will instead cover an iconic hack-tool widely used and appreciated during its active period.
IceCold
IceCold is what we used to call an account freezer. The purpose of these tools was to prevent a specific user, assuming that their username was known, from accessing a service (such as a game, a web application or a messaging service.). These tools could be classified under the category of Denial of Service (DoS), with the unique particularity of targeting specific users rather than an entire service.
IceCold was arguably the most renowned hack-tool in its category, widely used between 2003 and 2007. It specifically targeted the now-dead MSN Messenger, also known as Windows Live Messenger, and Hotmail services — the most popular messaging and email platforms of the time, operated by Microsoft.
IceCold was initially developed as a proof of concept (PoC) by Gregory Panakkal (aka JunkCode). At the time, Gregory was a young Indian security enthusiast who ran a personal space called “crapware” to distribute and document variety of projects more or less related to hacking. Many of these projects focused around the MSN protocol, including tools such as Password Finders, IP Revealers, Status Resolvers, and Account Freezers.
IceCold wasn’t the only MSN Freezer of its time, but it was undoubtedly the most respected and widely used. Under the hood, account freezers operated using accessible techniques. They intentionally attempted to connect to a service with incorrect passwords in hope to lock the targeted account. This prevented the user from accessing the service, either due to a security system that temporarily locked accounts after multiple failed login attempts or by overwhelming the protocol, causing authentication failures in the underlying authentication logic. This left the account in a temporary failure state, effectively rendering it unusable for a period of time.
In the case of IceCold, the intention was to deliberately cause a temporary failure state in the authentication mechanism, resulting in misleading error messages from Microsoft services. Instead of returning an error such as “You’ve tried to sign in too many times with an incorrect password” the system incorrectly informed the user that the password itself was invalid thus adding confusion for the targeted user:
It is worth noting that not only was the MSN Messenger Windows application reporting an incorrect password, but users were also unable to access their other Windows Live Services accounts (ex: Hotmail) via the web or dedicated application. This confusion led targeted user highly vulnerable to social engineering attacks.
A Scenario of High Success Rates in Account Takeovers
Taking over an MSN account was remarkably easy and often didn’t require exposing the target to malware, such as password stealers or remote access tools. Tools like IceCold, combined with a bit of social engineering, were typically sufficient to gain access to a victim’s account with high success rates.
The process began with the attacker, most of the time, a script kiddie, adding the victim’s account to their MSN contact list to kick off a friendly interaction. Once the contact was added, the attacker used an MSN Account Freezer, such as IceCold, to prevent the victim from connecting to their account without kicking off already connected services like MSN Messenger. The attacker would then send a message like, “Hey, I just hacked your MSN account and changed your password. Your account is mine now. You can check for yourself by trying to log in to hotmail.com.” Since Hotmail’s error message incorrectly stated that the password was wrong, the victim was often convinced that their account had indeed been hacked and their password changed.
Building on this deception, the attacker continued chatting with the victim in a seemingly friendly and sympathetic manner, gaining their trust over time. This tactic, akin to a form of Stockholm Syndrome, made the victim more likely to cooperate. Eventually, the attacker would say something like, “I feel bad for you, and you seem nice. I’ll give your account back, but I can’t remember your old password. Can you tell me what it was so I can restore your account as if nothing happened?”
Convinced by the situation, the victim most of the time revealed their “old password”, believing it was necessary to regain access. As soon as the attacker obtained the password, they stopped the freezing process, quickly logged into the victim’s account, changed the password, and took full control. The attacker would then use the compromised account to repeat the process with the victim’s contacts, continuing the cycle of account takeovers.
How It Worked (Briefly)
The process began with the script kiddy entering the target’s Windows Live Account identifier into the program and pressing “Freeze Account.” IceCold then initiated a connection with the MSN Protocol by contacting messenger.hotmail.com on TCP port 1863. The purpose of this initial connection was to retrieve the dedicated IP address used for the pre-flight authentication request. IceCold parsed the returned IP address and initiated the pre-flight authentication process using returned IP. This step involved retrieving specific tokens and attributes required for subsequent authentication with the Passport service (the system used to authenticate users for Windows Live services).
After parsing and storing these tokens, IceCold initiated a new request, this time to nexus.passport.com on port 443 (HTTPS), to retrieve the final endpoint used for authentication. Using the retrieved endpoint (e.g., login.passport.com/login2.srf) along with the previously retrieved tokens, IceCold flooded the target endpoint with authentication requests. These requests used the target user’s account identifier combined with a deliberately chosen bad password, “crapware,” to ensure authentication requests would fail. This overload caused a temporary disruption in the authentication service, but only for the targeted user.
Since MSN protocol and its related services are no longer supported, IceCold is no longer working and cannot be tested. However, I have created a small Python script that simulates parts of the MSN and Passport protocols to help you better understand how IceCold ReLoaded Version worked. Please read the explanations in the attached script carefully before experimenting with IceCold: https://gist.github.com/DarkCoderSc/769d1cb62bab7982ee2044f646779601
You may find the IceCold ReLoaded program ((!) at your own risk (!)) through the Web Archive and Gregory’s old web space URL. For those interested in exploring reverse engineering, understanding how IceCold operated would make an excellent exercise. Since I have provided an emulated version of the MSN and Passport protocols, you have all the tools needed to analyze and uncover its inner workings on your own.
Conclusion
In the early 2000s, MSN Messenger was a prime target for script kiddies, much like the persistent and infamous question today: “Hey, do you know how to hack a Facebook account?” — 😣 — Back then, it was, “Hey, do you know how to hack an MSN account?” Countless malware authors focused on this domain, offering a variety of tools to interfere with MSN services, whether to facilitate account takeovers (password stealers, sniffers, freezers) or to enhance and modify the user experience with tools that “unlocked” or enhanced MSN Messenger’s capabilities.
Two notable examples of these enhancement tools included:
MSN Plus: This infamous package used by millions of users allowed to unlock potential of the MSN Messenger desktop application, adding originally unsupported features like custom colors, effects, and other tweaks. One particularly interesting function — which aided social engineering for account takeovers — enabled users to copy a contact’s conversation title and effects, creating the illusion that they had control over the contact they were chatting with.
Nudge Mania: This tool removed limitations on the “Wizz / Nudge” feature, a native functionality designed to “wake up” a user by shaking the chat window and playing a distinct sound. Nudge Mania allowed users to flood their contacts with infinite nudges, creating significant annoyance for the recipient.
Even I integrated MSN Messenger-related features in one of my early projects (back in 2007), DarkComet RAT (formerly named SynRAT). These features included the ability to interact with the MSN Messenger application on a remotely controlled computer:
IceCold falls into the highly sought-after category of MSN hacking tools that influenced the early days of many wannabe hackers. While complex hacking tools were highly coveted, simple yet effective tools like this one were just as valued.
I reached out to Gregory (JunkCode) to get his thoughts on his past creations, including IceCold. He admitted he could barely recall his past creations, he stated that IceCold and his other creations were more proof-of-concepts (PoC) than fully realized products. He also mentioned that during that time, he was working on other projects like custom PE Packers and Crypters, applications designed to make malware undetectable by antivirus and security solutions.
For many teenagers of that era, hacking and coding were simply hobbies — much like playing football, watching movies, or playing video games. Many never went on to pursue careers in IT. Gregory, however, saw that time as a valuable opportunity to learn and gain his skills by working on such projects. He is today an accomplished information security professional.
Little did he know that his early work would still be remembered today.
In the next Malware Retrospective article, we will return to the roots of the series and explore a new legendary remote access trojan (RAT) featuring an exclusive interview with its author.
I’ve fallen behind schedule due to being overwhelmed with professional and other personal projects, but I’m doing my best to release the articles currently in progress.
