New Koobface variant exploits holiday spirit.

Malware miscreants have traded their black hats for Santa hats with their latest escapade targeting the 350 million member Facebook community.

Security experts have spotted a new variation of the Koobface worm that gives its prior social engineering techniques a holiday twist to lure Facebook users into its wicked web.

The new variant, Koobface.GK, posts a link to a Christmas video on the message wall of a Facebook user. When a social networker clicks the link, he or she is taken to a bogus video player. Clicking the play button on the spurious application produces no video, but it does download the worm to the clicker’s computer.

The malware then produces a captcha screen that threatens to shutdown the user’s computer if the captcha form isn’t filled out within three minutes. When the captcha form is filled out, the shutdown message appears again. Each time the form is filled in, a new domain is registered where infected files will be hosted. In that way, the worm propagates itself.

If a target decides not to act within three minutes, nothing will happen. However, his or her computer will become unresponsive. According to White Hats, a clean install of Windows isn’t needed to recover control of a computer infected with the worm. Presumably, the problem could be eliminated by pulling the power plug on the machine and rebooting into a state where a virus scan could be conducted on the computer or the box could be restored to a point before it was infected.

Continue reading New Koobface worm duping Facebook users»

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

Continue reading Virus variant turns iPhone into zombie»

A new worm is taking aim at the popular Wordpress blogging platform. First discovered on August 11th, it affects those who host their own blogs. It works by exploiting vulnerability in the software’s permalink structure. Once in it makes itself an admin and fills posts with hidden spam and malware.

          “The tactics are new, but the strategy is not,” the WordPress project stated on its official blog. “Where this particular worm messes up is in the ‘clean up’ phase: It doesn’t hide itself well, and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

Those bloggers infected by the worm will find all of their links are broken and their old posts are filled with hidden spam and malicious code. They may also discover their site flagged as dangerous on Google because of said code. The fix? Wipe your site and install from your backup, or if you haven’t backed up, start from scratch. The prevention? Make sure you’re using the latest Wordpress software, which at this writing is 2.8.4.

Hackers are increasingly turning to legit sites to spread their wares, and finding plenty of security holes to exploit in order to do so. In June over 40,000 websites were infected by an attack dubbed “Nine Ball” that injected malware into legit pages and redirect visitors to a malicious site that downloaded Trojans and a keylogger, and last month over 57,000 legit sites were found to be infected, and earlier this month the website of the UK Parliament was hacked.

Indy.com reported in early April 2009 about the waledec bot riding along with Conficker virus. “Conficker, for the first time, moved beyond sitting quietly on millions of Windows computers worldwide to infecting other vulnerable computers.

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

Continue reading Meet Waledec, Conficker’s Child»

The malware that hit Twitter, called the Mikeyy worm, appears to have been created by a 17-year-old New York boy who had nothing better to do and wanted to drive traffic to his website. The worm exploited a cross site scripting flaw to compromise nearly 200 accounts and send more than 10,000 tweets. Users were infected simply by visiting the compromised profiles. The worm hit Twitter 4 separate times this weekend, each time sending tweets aimed at directing users to the site StalkDaily.com, a Twitter copycat site owned by the teenager in question. A copycat worm also jumped on the bandwagon, sending out spam tweets of its own with a link that claimed to be directions on how to remove the worm.

          “A message like this is particularly nasty, as there were plenty of re-tweets of this malicious message sent by genuine users,” said F-Secure Corp.’s chief research officer, Mikko Hypponenin in a blog post just minutes after Monday’s attack began. “The bit.ly link got redirected back to Twitter, to user reberbrerber’s profile which would infect Twitter users who viewed it.”

Experts say attacks on social networking services will only increase as more and more cybercriminals seek out vulnerabilities and use them to carry out XSS/PHP/SQL attacks. These attacks they say, will likely be used to gather lists of personal information which will then be used in more traditional spam and phishing attacks. To protect your company, don’t use sloppy code! Check and double check for JavaScript vulnerabilities and other security holes and block any you find as soon as possible. Your company’s reputation could depend on it!

Microsoft has offered a $250,000 reward for information leading to the arrest and conviction of the person(s) responsible for the Conficker worm.

It’s not the first time that the Redmond-based company has put a price on the head of malware creators. In 2004, $250,000 was paid to a group of German students who ratted on their classmate, Sven Jaschan, the author of the Sasser worm.

According to security companies, Conficker may have infected as many as 15 million computers, including computers in the UK Ministry of Defence’s network, and spreads by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and via removable drives. The worm disables a number of Windows services (including Windows Update and Windows Defender) and blocks access to security-related websites.

Continue reading Microsoft Offers 0,000 Botnet Bounty»