lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Aug 2008 00:15:24 -0500 (CDT) From: Gadi Evron <ge@...uxbox.org> To: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> Cc: "John C. A. Bambenek, GCIH, CISSP" <bambenek.infosec@...il.com>, bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, funsec@...uxbox.org Subject: Re: [funsec] facebook messages worm On Thu, 7 Aug 2008, Juha-Matti Laurio wrote: > It has the following mechanism according to McAfee: > http://vil.nai.com/vil/content/v_148955.htm > > They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally > discovered this threat) uses name Net-Worm.Win32.Koobface.b. This is going to *possibly* cause support line bottlenecks tomorrow. This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670 The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate. The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading. All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days. For now, while users may get infected, their information is safe (UNLESS the worm has a secondary contact C&C which I have not verified yet). It seems like some users may have learned not to click on links in email, but any other medium does not compute. Gadi. > More information here too: > http://www.pcmag.com/article2/0,2817,2327272,00.asp > > Juha-Matti > > "John C. A. Bambenek, GCIH, CISSP" [bambenek.infosec@...il.com] kirjoitti: >> What's the infection vector? URL Link? Rouge Facebook app? >> >> On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron <ge@...uxbox.org> wrote: >> >> > Hi all. >> > >> > There's a facebook (possibly worm) something malicious sending fake >> > messages from real users (friends). >> > >> > The sample also has a remote drop site (verified by someone who shall >> > remain nameless). >> > >> > This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his >> help. >> > >> > Infection sites seen so far are on .pl domains. >> > >> > The AV industry will soon add detection. >> > Facebook's security folks are very capable, so I am not worried on that >> > front. >> > >> > It's not that we didn't expect this for a long time now, but... >> > Be careful. Some users know to be careful in email.. but not on facebook. >> > >> > Note: unlike 2003 when we called everything a worm and the 90s when >> > everything was a virus--this is a bot which also spreads/infects on >> > facebook. >> > >> > Gadi. >> > >> > >> > -- >> > "You don't need your firewalls! Gadi is Israel's firewall." >> > -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the >> > Accountant General, >> > Israel's Ministry of Finance, at the government's CIO conference, >> > 2005. >> > >> > (after two very funny self-deprication quotes, time to even things >> up!) >> > >> > My profile and resume: >> > http://www.linkedin.com/in/gadievron >
Powered by blists - more mailing lists