New Worm Lets Hackers Take Control

By Kevin M. Nixon, Information-Security-Resources.com Security Editor

Social Networking sites (Facebook, MySpace, Bebo, LiveJournal, etc.) are under attack by a variation of the Koobface worm which began to spread in August ‘08.  This new variant, tracked as WORM_KOOBFACE.AZ has the potential of a fast infection rate.

Most importantly, after propagating itself from the infected device, the Worm remains active on the user’s computer transmitting the computer’s data, settings, control information, and system information to over 300 international collection sites.

Readers should search their computer protection software provider’s website and locate instructions for WORM_KOOBFACE.AZ.  Please note that this is a variation of HTML_KOOBFACE.BA.  The patches and DAT files for the HTML variant do not protect against the WORM variant!

CURRENT FIX:

No Automatic Patches currently available from Protection Vendors.  Manual counter-measures are available.

TYPE MALWARE:

Worm - Self-Spreading

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention.

Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

INFECTION METHOD:

Hyperlink-Social Engineering.

Computer user receives a message which may contain the subject line “Thiss vvideo witth you on the streeet.”  User may receive the message via a “Online Inbox” located on the social network site, or any online web-based email, smart phone/PDA, or regular email application loaded locally on the computer.

HOW IT WORKS:

The message is sent to you by someone you know.  The hyperlink in the message takes the user to a “fake site” supposedly hosting a video posted by the same “friend known to the user” in a Facebook (or other Social Network) message from.

The message not only contains the hyperlink to the “fake site”, it also displays the “friends” name and photo from the Facebook profile.  A very clever little piece of social engineering.

Although the worm originates from a Facebook account from a person known to the user, the user receiving the message does not need to be a member of Facebook.

Other origination points include but are not limited to:

facebook.com

hi5.com

friendster.com

myyearbook.com

myspace.com

bebo.com

tagged.com

netlog.com

fubar.com

livejournal.com

WHAT IT DOES:

After clicking on the link, the user is redirected to an IP Address which contains the “fake social network friend page”.  Upon arriving at the site, the user is prompted to update the Adobe Flash Player.

The “fake update” installs the worm on the user’s computer.

WORM_KOOBFACE.AZ propagates through other networking sites by using “cookies” stored on the user’s computer.

The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded.

It also sends and receives information from an infected machine by connecting to several servers.

This allows hackers to execute commands on the affected machine. Currently there are over 300 International data collection sites containing this worm!

Kevin has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Informed With RSS Feeds or Email Alerts Here: 

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Comments

• ISR Headline Index

  • Why We Did It and Don’t Want Any Money
  • Hackers Lurking in Hotel Networks
  • 7 Month Vulnerability in Windows Virtual PC
  • How to Secure a Cisco Router
  • On HTML Insecurities…
  • When Social Networking Clashes with Security
  • Spam Block: Public Servants or Vigilantes?
  • Sticky Situations in Social Media
  • Quick Tips for Using Secure Shell
  • Consolidate Compliance With Open Source
  • DoS Attack Reveals Widespread Vulnerabilities
  • Study Shows Employees Put Data at Risk
  • Tracking Google’s Script Kiddie Hackers
  • Newbie Introduction to Digital Forensics Part 2
  • Simple Log Review Checklist Released

• Recent Comments

  • Ryan Aslett on Data Loss Prevention Has Jumped the Shark
  • Tom on (Lack Of) Encryption and The HITECH Act
  • ADMIN on Patriot Hacker Hits Jihad With DDoS Attacks
  • Robert Siciliano on Data Loss Prevention Has Jumped the Shark
  • Karen J. Cox on Data Loss Prevention Has Jumped the Shark
  • Scot McLeod on Outsourcing Breach Response Lowers Costs
  • John Marke on Gartner Tells CIOs to Embrace Social Media
  • Social Engineering and Enterprise Security | CIO – Blogs and … | Enterprise Engineering Addict on Gartner Tells CIOs to Embrace Social Media
  • From Russia, With Smartphones on Top 8 Social Media Security Threats
  • Judith Hoffman on Scam Alert: Rogue Gmail Account Phishing
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (26)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (23)
  • Breach (540)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (26)
  • Class Action Lawsuit (111)
  • Cloud computing (114)
  • Coby Royer (5)
  • CTO Forum (9)
  • D&O Liability (602)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (7)
  • due diligence (311)
  • Fame Foundry (1)
  • FEATURE ARTICLE (428)
  • Financial (588)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (374)
  • Greg George (5)
  • H1N1 (15)
  • hackers (540)
  • healthcare (135)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (536)
  • IDExperts (17)
  • Ike Z. Devji (1)
  • Infosec Island Network (39)
  • Insider Threat (491)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (72)
  • ISR News (321)
  • Jacqueline Herships (2)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (2)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (21)
  • Larry Ketchersid (1)
  • Laton McCartney (7)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (502)
  • Mark Smail (1)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (3)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • MicroSolved (1)
  • Mike Duncan (3)
  • Mike Meikle (4)
  • Mike Spinney (1)
  • Military (212)
  • national security (454)
  • PCI (309)
  • PCI Security Standards Council (32)
  • Physical Security (11)
  • privacy (553)
  • Rachel James (10)
  • reach (12)
  • Rebecca Herold (16)
  • Richard Stiennon (44)
  • Robert Siciliano (34)
  • Sarbanes-Oxley (503)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (8)
  • The Privacy Professor (16)
  • Thomas R. Fox (8)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (14)
  • Tripwire (18)
  • Uncategorized (621)
  • virtualization (102)
  • Webcast (49)