Cyber jihad worm harks back to Anna Kournikova malware at turn of century.

Organizations around the world are currently recovering from a worm distributed through email spam earlier this month.

The malware reportedly crafted by a cyber jihad organization and dubbed the “Here you have” worm after the most common subject line in its spam messages spread rapidly and infected countless computers throughout the globe. Untold numbers of workers had their daily routines disrupted as their inboxes were inundated with spam from trusted sources–family members, coworkers and the like.

The worm infected homeowners, as well as large organizations such as Coca-Cola, Google, Disney/ABC, NASA, Comcast, AIG, Procter & Gamble, Wells Fargo and the Florida Department of Transportation. The spam volumes generated by the worm are estimated in the hundreds of thousands, if not millions of junk emails.

At the Florida Department of Transportation, a spokesperson acknowledged that e-mail had to be taken off-line because of the spam attack. He added, however, that while the malware crippled communication in the agency, it did not have a major impact on its operations.

At other organizations, the worm attack was an occasion for gallows humor. “Office servers off-line, due to spam assault. No email for anyone. Now maybe I can get some work done!” joshed one office worker on Twitter. One NASA employee tweeted, “Houston, we have a problem… it’s called spam.”

There appear to have been two flavors of the worm. The large organization version had “Here you have” in the subject line, while a home version used “Just For You” as a subject. In the body of the message targeting home computer users was text that contained a link that if clicked would propagate the worm: “This is The Free Download Sex Movies, you can find it Here.”

Shortly after the discovery of the worm, security experts found possible links between it and an organization called “Brigades of Tariq ibn Ziyad.” They said that there were references in the malware to a known Libyan hacker who is trying to enlist other cyber terrorists to join him in a cyber jihad. In addition, it was reported within the binary code of the worm are the words “Iraq Resistance.” What’s more, a back door installed by the worm in infected systems connects to a computer using the Tariq ibn Ziyad name. Furthermore, parts of the worm were written in Arabic.

Security experts analyzing the worm said it is very similar to mass mailing e-mail viruses seen in the past such as the Anna Kournikova, Mellissa and Nimda viruses. Coincidentally, the Anna Kournikova virus also had “Here you have” in the subject line.

Experts also noted that a similar version of the worm was released in the wild in August but failed to gain much traction. It’s believed that the main difference between the old worm and the new one is that more spam messages were sent out with the new worm. In addition, the new worm may contain new components that allow it to propagate more efficiently.

Despite the havoc that the word raised around the world, its risk rating is still “low,” according to security experts. That’s because all it seems to be doing is sending out massive amounts of spam to people and not compromising systems in any other way–at the moment. However, one security firm asserts that the worm includes a feature in its repertoire that attempts to stop and delete security services on the computers that it infects.

The worm works like this.

It sends a spam message to a computer. The message contains an attachment. The attachment pretends to be a PDF file, but is really an .scr file. The email also contains a message with a harmful link. When a user clicks the link, the .scr file is activated and the malware is sent to everyone on a user’s contact list. When the worm arrives in the inbox of one of the user’s contacts, it has a certain amount of credibility because it’s coming from someone the contact trusts, namely the user.

In addition to e-mail, the worm will try to propagate itself to any mapped drives, remote machines or movable media with AutoRun enabled. Copies of the worm transferred to those machines are much more volatile because all the user has to do is open the folder that contains the malware and it will be activated.

To guard against infections like those spread by the worm, security experts recommend that network administrators block emails that contain file extensions like .VBS, .BAT, .EXE, .PIF and .SCR, as they are typically used to spread malware.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Cyber Jihad worm spread rapidly via email

Security experts say the worm, which briefly accounted for 14% of the world’s spam volume, contained several malicious components including a backdoor Trojan and a keylogger. It was also programmed to shut down and delete any anti-virus services it found. Fortunately for the victims, the worm was quickly shut down due to its unsophisticated structure. It struck many large U.S. companies including Proctor & Gamble, Disney, and Wells Fargo. It also hit NASA. At one point the deluge was so bad it forced cable and broadband provider Comcast to completely shut down their email servers.

It’s not clear why the emails duped so many into clicking on the attachment they contained. The fact that the worm invaded the address book of anyone infected and sent itself out to everyone on it may have been a factor. People, even those who know better than to click on links or open attachments from strangers, are much more likely to drop their guard and open attachments that come from friends, no matter how odd or suspicious they may look.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Hacker Takes Credit For Email Worm

Most current malware tries to remain undetected as long as possible. The longer it remains undiscovered, the longer it can work its vile mischief. Not so with Clippo. Once it infects a machine, it locks all the Microsoft Word, PowerPoint and Outlook email files that it can find. If a worm wants to remain clandestine, that’s not the way to do it.

The worm is also simple in its execution. When it arrives on a PC it drops a file, file.exe, in the root directory of the C drive and adds a load statement, load=c:film.exe, in the startup section of the Windows registry, HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows. It also copies itself–as files names picture.exe and sound.exe–to all folders on the infected system, including folders on all removable drives and all network drives where it has permission to write files.

When a user attempts to open a diseased file, he or she is asked for a password. Since the password, which is 721709031350, is unknown to the user, the file can’t be opened. That, needless to say, is very, very annoying to the keyboard jock.

As worms go, this one is not only easy to detect, but it’s relatively easy to disinfect. Just remove the malicious registry entry and trash the file on the C drive. To be extra careful, though, it’s a good idea to perform a virus scan on the infected machine and all storage devices attached to it with an up-to-date virus program after removing the outlaw file and registry entry.

Security experts who have studied the worm say it appears to be created purely to aggravate its victims, and it doesn’t give its creators any opportunity to rake in any cash from their malicious work. However, it does seem to have an axe to grind with Microsoft, as the files it infects are created with applications from that company. Someone using something like OpenOffice probably wouldn’t even know that the worm had weaseled its way onto his or her system.

In addition, Windows 7 users appear to be immune from the attack. Clippo is written to run under Windows 2003, XP and older versions of the operating system.

Clippo.A is part of the Sality malware family of file infecting viruses. Sality dates back to 2003 when it first appeared in Russia. Over the years, it has evolved from a simple virus that uses an executable file to spread into a malicious mix that includes viruses, trojans, backdoor creators, keyloggers and rootkits. Recently the family gained a missing element to its repertoire: botnet capabilities. It’s estimated that Sality botnets have infected some 100,000 computers, which is small compared to something like Conficker, but similar in size to Storm, Pandex or Rustock.

Ordinarily a file infection worm like Clippo would try to monetize its activity by holding a victim’s files hostage and demand payment to set them free. It’s a form of malware called ransomware, and it’s becoming very popular among Internet thieves.

August was a high point this year for ransomware with a variant called TotalSecurity, which topped the malware charts in that month. Security experts attribute the surge in the ransomware’s spread to its transformation into polymorphic malware. That means the malware’s code changes frequently–every hour, for example–to avoid detection. It’s a technique typically deployed by botnet authors and one now used by TotalSecurity’s developers.

Ransomware has become especially popular in Russia and  in some of its former republics. In fact, Russian police reportedly are currently investigating a criminal gang using ransomware to infect tens of thousands of PCs in Russia, the Ukraine, Belarus and Moldova. The gang is using news sites to spread their malware, called WinLock. The software disables some Windows components a the computer becomes unusable, then it adds insult to injury by flashing pornographic images on its screen.

Once a computer has become disabled, its owner is informed he or she must send an text message from their mobile phone to receive the unlock code to the malware. The messages cost the user anywhere from 300 to 1000 rubles ($9.71 to $32.38). The scams are reported to be very lucrative. In the case currently being probed by the Russian police, the ransomware gang made $16 million in a single month.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New prankware locks files on computers

New Koobface variant exploits holiday spirit.

Malware miscreants have traded their black hats for Santa hats with their latest escapade targeting the 350 million member Facebook community.

Security experts have spotted a new variation of the Koobface worm that gives its prior social engineering techniques a holiday twist to lure Facebook users into its wicked web.

The new variant, Koobface.GK, posts a link to a Christmas video on the message wall of a Facebook user. When a social networker clicks the link, he or she is taken to a bogus video player. Clicking the play button on the spurious application produces no video, but it does download the worm to the clicker’s computer.

The malware then produces a captcha screen that threatens to shutdown the user’s computer if the captcha form isn’t filled out within three minutes. When the captcha form is filled out, the shutdown message appears again. Each time the form is filled in, a new domain is registered where infected files will be hosted. In that way, the worm propagates itself.

If a target decides not to act within three minutes, nothing will happen. However, his or her computer will become unresponsive. According to White Hats, a clean install of Windows isn’t needed to recover control of a computer infected with the worm. Presumably, the problem could be eliminated by pulling the power plug on the machine and rebooting into a state where a virus scan could be conducted on the computer or the box could be restored to a point before it was infected.

This latest Koobface attack shouldn’t surprise anyone as Christmas has always been a prime time for Internet bandits. The Zafi.D worm, for example, was introduced in 2002 and is still making the holiday rounds clandestinely opening ports on computers and downloading malware. Other Christmas suprise packages include MerryXA, which contained a malicious attachment that installed a keystroke logger designed to steal personal information from its victims, and the Navidad family of worms also distributed through email.

To avoid infection from the likes of Koobface, Malware fighters are cautioning computer users not to click on links from dubious sources. There’s a problem with that advice, though, when it’s applied to social networks. When something is posted to a Facebook wall or message arrives under the guise of a message from Facebook, it may very well appear to originate from a trusted source.

Another precaution recommended by security experts is to eyeball the link to determine its validity. For example, if a Facebook URL contains a .ru domain, it might not be on the level. On the other hand, links can be hidden behind plain English labels or worse, be in a shortened format that’s inscrutable to the eyeball test. If the short URL appears in Firefox, there are tools that will expand  the Web address or preview the link without clicking it.

Of course, it’s also a good idea to be very careful when you’re solicited online to download software.

Koobface surfaced this summer working the video angle on Twitter users. “Tweets” were sent to members of that network containing the message “My Home Video” and a link. It also tricked Facebook users by creating some very convincing facsimiles of that social network’s service pages. As word spread about the worm, it began adopting subterfuge to avoid detection. It started altering its payloads automatically inserting into them text like Ha-Ha-Ha, WOW, LOL and OMFG, and it commenced using short URLs.

In response to the new found interest by cyber criminals in their services, Twitter and Facebook have made efforts in recent weeks to tighten up their security, but their efforts aren’t moving fast enough for some concerned netizens. A group of Swedish students hijacked hundreds of Facebook groups last month to expose just how insecure the service is. The posse, calling itself Control Your Info, exploited a design flaw in the social network to conduct its shenanigans. It seems that if an administrator leaves a Facebook group, anyone in the group can assume the throne. Control Your Info members joined groups without administrators and announced to their members in a message.

“Hello,” the message began, “we hereby announce that we have officially hijacked your Facebook group.”

“This means we control a certain part of the information about you on Facebook,” the message continued. “If we wanted we could make you appear in a bad way which could damage your image severly [sic].”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Koobface worm duping Facebook users

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

In addition, while the original ikee worm was limited in its scope. It wasn’t reported outside of Australia. The latest iteration of the malware targets a wider range of IP addresses. They include the Netherlands, Portugal, Australia, Austria and Hungary.

The new variant, dubbed by one security firm as the “Duh” worm, also changes the root password on a jailbroken iPhone. Once that password is changed, a mobile bandit can access the phone without the owner’s knowledge. What’s more, if an owner discovers his or her phone has been compromised, initially he or she could do little about it. That’s because he or she needed to know the root password to change the root password. That was impossible since the password of an infected phone was known only to the person who infected it.

However, security experts have been able to reverse the tables on the crackers and with a program called John the Ripper, identify the password they’ve been using in the latest version of ikee. It’s “ohshit.” By logging into an infected iPhone with that root password, an owner can change it to something unknown to the cracker.

In addition to changing the password, an owner should kill the files associated with the malware. The path to those files is /private/var/mobile/home. The files are inst, cydia.tgz, duh, sshd and syslog. Owners are also advised to check the passwords for all user accounts, as the malicious software will change the password for any account that uses the word alpine.

Apple has come under criticism for choosing a root password that violates some basic security best practices. It’s a dictionary word and lots of people know what it is. On the other hand, the latest uproar over compromised iPhones doesn’t affect most users because they haven’t modified their handsets to run unauthorized programs. That may also be the reason that Apple has refused to work with White Hats in developing anti-virus software to counter the problem. From the company’s point of view, it has created a secure product. It’s rogue users who are providing the feeding ground for this round of cracker attacks.

Although iPhones represent only 10 percent of the mobile phone market, they tend to be used by higher level executives within organizations because of their status value. While status seekers aren’t likely to hack his or her iPhone and open it up to something like ikee, the prospect isn’t something that system administrators can ignore. Because iPhones aren’t able to report any kind of status information, security experts warn, they present a threat to the enterprise. If an infected phone gains access to a company’s MS Exchange, WiFi or VPN environment, it could put all a business’s confidential information at risk.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Virus variant turns iPhone into zombie

          “The tactics are new, but the strategy is not,” the WordPress project stated on its official blog. “Where this particular worm messes up is in the ‘clean up’ phase: It doesn’t hide itself well, and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

Those bloggers infected by the worm will find all of their links are broken and their old posts are filled with hidden spam and malicious code. They may also discover their site flagged as dangerous on Google because of said code. The fix? Wipe your site and install from your backup, or if you haven’t backed up, start from scratch. The prevention? Make sure you’re using the latest WordPress software, which at this writing is 2.8.4.

Hackers are increasingly turning to legit sites to spread their wares, and finding plenty of security holes to exploit in order to do so. In June over 40,000 websites were infected by an attack dubbed “Nine Ball” that injected malware into legit pages and redirect visitors to a malicious site that downloaded Trojans and a keylogger, and last month over 57,000 legit sites were found to be infected, and earlier this month the website of the UK Parliament was hacked.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Worm Taking Aim at WordPress

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

As recently as April 17, 2009 ZDNet reports the Waledec botnet is on the move again.  For waledec to be effective, cyber criminals are relying on the rotation of different “Subject” themes and the email user’s ignorance of its existence.   That is a hint to educate your email users ASAP.

Some typical Waledec spam email subjects being used:

• Can your love life be re-ignited?
• Are you sure in your partner’s faithfulness?
• Now, It’s possible to read other people’s SMS
• We will tech you to be the master of making love art
• Just type the phone number and read SMS
• Do you want to test your partner?
• Have more fun and pleasure in your intimate life
• Now, you can read any SMS messages from any mobile phones
• Keep a spy eye on your Girlfriend’s mobile
• What’s Your Hall of Shame
• Are you ready to know the truth?

The actual Waledec message body is something like “Get Your Free 30-Day Trial! Do you want to test your partner or just to read somebody’s SMS? This program is exactly what you need then! It’s so easy! You don’t need to install it at the mobile phone of your partner. Just download the program and you will able to read all SMS when you are online. Be aware of everything! This is an extremely new service!”.

Any other unknown conficker children you want to share with us?  Let us know with a comment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Meet Waledec, Conficker’s Child

          “A message like this is particularly nasty, as there were plenty of re-tweets of this malicious message sent by genuine users,” said F-Secure Corp.’s chief research officer, Mikko Hypponenin in a blog post just minutes after Monday’s attack began. “The bit.ly link got redirected back to Twitter, to user reberbrerber’s profile which would infect Twitter users who viewed it.”

Experts say attacks on social networking services will only increase as more and more cybercriminals seek out vulnerabilities and use them to carry out XSS/PHP/SQL attacks. These attacks they say, will likely be used to gather lists of personal information which will then be used in more traditional spam and phishing attacks. To protect your company, don’t use sloppy code! Check and double check for JavaScript vulnerabilities and other security holes and block any you find as soon as possible. Your company’s reputation could depend on it!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Twitter Spammed by Teenager Using Worm

It’s not the first time that the Redmond-based company has put a price on the head of malware creators. In 2004, $250,000 was paid to a group of German students who ratted on their classmate, Sven Jaschan, the author of the Sasser worm.

According to security companies, Conficker may have infected as many as 15 million computers, including computers in the UK Ministry of Defence’s network, and spreads by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and via removable drives. The worm disables a number of Windows services (including Windows Update and Windows Defender) and blocks access to security-related websites.

The story certainly makes one wonder how – or whether – such outbreaks can ever be prevented. Microsoft handled the matter in textbook manner, making a patch available in October of last year. But Conficker continued to spread well beyond that date – and still continues to spread. Consequently, a number of pundits have (once again) started to speculate as to whether the time has come for Microsoft to force updates on home users (example). While there is certainly some merit to the idea, I simply cannot see that ever happening. Legalities aside, can you imagine the outcry? Plus, it would not eradicate the problem. Yup, some home users may be slack when it comes to patching, but then so are some businesses – which is why Conficker has been able to infect so many corporate and government networks.

The fact is that we will probably be stuck with such outbreaks until either 1) vendors design completely secure operating systems or 2) people and businesses start to patch promptly. Unfortunately, neither is likely to happen any time soon.

Anyway, if you happen to know the identity of the schmuck responsible for Conficker and would like to claim the $250,000 bounty, call Microsoft’s  Antivirus Reward Hotline on 1-425-706-1111 or send an email to avreward@microsoft.com.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Microsoft Offers $250,000 Botnet Bounty