Facebook Worm

Reply Mon 8 Dec, 2008 12:14 pm
In the last few days I've received a couple of these emails myself. Did not click the links. If you receive similar ones, do not click the links.


Worm spreads on Facebook, hijacks users' clicks
Social network cleaning up mess, but worm still on the loose, says researcher

By Gregg

December 5, 2008 (Computerworld) Facebook Inc. is resetting some user passwords and scrubbing the service of malicious links in an attempt to eradicate a fast-spreading worm that redirects infected machines to a little-known search site, the company and security researchers said today.

The "Koobface" worm, which has been circulating through the popular social networking service since at least Wednesday, continues to be a problem, said Craig Schmugar, a threat researcher at McAfee Inc.

"We're not seeing increases in propagation," he acknowledged today, but noted that cleanup was a tough chore for Facebook. "It's a bit of a cat-and-mouse game for them," he said. "There are certainly millions of links on Facebook. How do you know which are the bad ones, which are the good ones? That's not without problems."

Wednesday, Schmugar was one of the first security researchers to notice Koobface's spread and notify Facebook.

Earlier in the week, Facebook users began reporting receiving spam messages such as "You look just awesome in this new movie" or "You look so amazing funny on our new video" that tried to dupe them into clicking on a link. Schmugar said that if they did, they were taken to one of several compromised sites that then displayed a fake error message claiming that Adobe System Inc.'s Flash was out of date, and prompted them to download an update.

The "update" was nothing of the kind, but instead was an executable file that installed the Koobface worm, which in turn installed a background proxy server that redirected all Web traffic. According to Schmugar, the proxy servers listens on TCP port 9090, particularly for search requests to the major search engines, including Google, Yahoo and Microsoft's Live Search.

"Search terms are directed to find-www.net," Schmugar said, "[which] enables ad hijacking and click fraud." The hackers are making money by redirecting users' searches to their own results, collecting cash from the ensuing clicks.

When Computerworld entered "thomas jefferson" as a search string at find-www.net, for example, the top result was a pitch for a free antivirus scanner. That scanner was, in fact, bogus and simply the first step in a so-called scareware scam that relies on sufficiently spooking users with phony warnings that they pay for fake security software.

Today, Facebook said it was dealing with the worm. "We're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages and coordinating with third parties to remove redirects to malicious content elsewhere on the Web," said spokesman Barry Schnitt in an e-mail.

He urged users to avoid links that "seem strange," and suggested that they arm themselves with up-to-date antivirus software. "The messages for this issue all have a title that is poorly spelled about seeing a video of someone, the text of the message has one to three words in all caps and then a spammy link," said Schnitt.

Koobface is a variant of one that hit MySpace, another well-known social networking service, last August, said McAfee's Schmugar. The earlier version targeted both MySpace and Facebook, he added, but the newest ignores the former and focuses on the latter. There are more than two dozen variants of the worm in circulation.

Facebook has posted a short message on its security page acknowledging the worm's attack. The notice urged users whose accounts had already been compromised to scan their PCs for malware and then reset their passwords.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 3 • Views: 1,815 • Replies: 8
No top replies

Region Philbis
Reply Mon 8 Dec, 2008 12:55 pm
haven't seen this yet -- signed up with my work e-mail, so we may be protected here.

thanx for the head's up...
Reply Mon 8 Dec, 2008 01:44 pm
Whoever joins such a site deserves such retribution.
0 Replies
High Seas
Reply Mon 8 Dec, 2008 03:18 pm
@Region Philbis,
For heavens' sake, don't post live links if you don't want people to click on them! We got some naifs around here. Besides, who cares about Facebook - all military networks went offline days ago and now communicate only via deep-cover connections:
The worm turns

Dec 4th 2008
From The Economist print edition
A cyber-attack alarms the Pentagon

BATTLEFIELD bandwidth is low at best, making networks sticky and e-mails tricky. American soldiers often rely on memory sticks to cart vital data between computers. Off-duty, they use the same devices to move around music and photos. The dangers of that have just become apparent with the news that the Pentagon has banned the use of all portable memory devices because of the spread of a bit of malicious software called agent.btz.

This is a “worm”, meaning that it replicates itself. If you have it on, say, the memory card of a digital camera it will infect any computer to which you upload photos. It will then infect any other portable memory plugged into that computer (the cyber-equivalent, one might say, of a sexually transmitted disease). On any computer hooked up to the internet, this variant tries to download more nasty stuff: in this case two programs that access the hard-drive. Was it a humdrum crime of trying to steal banking details? Or something more serious? The trail has gone cold.

In any case, the malicious software (malware in the jargon) penetrated at least one classified computer network. The problem was severe enough for Admiral Michael Mullen, the chairman of the joint chiefs of staff, to brief George Bush on it. Officials are saying little more than that.

Kimberly Zenz, an expert on cyberwarfare at VeriSign iDefense, a computer security company that is investigating the attack, notes that it is not clear that agent.btz was designed specifically to target military networks, or indeed that it comes from either Russia or China (two countries known to have state-sponsored cyberwarfare programmes that regularly target American government computer networks).

Indeed, she says, by the standards of cyberwarfare, agent.btz is pretty basic; it is a variant of a well-known bit of malware called the SillyFDC worm, which has been around for at least three years. By contrast, a government commission warned Congress last month that “since China’s current cyber operations capability is so advanced, it can engage in forms of cyberwarfare so sophisticated that the United States may be unable to counteract or even detect the efforts.”

The most remarkable feature of the episode may not be the breach of security, but the cost of dealing with it. In the civilian world, at least one bank has dealt with agent.btz by blocking all its computers’ USB ports with glue. Every bit of portable memory in the sprawling American military establishment now needs to be scrubbed clean before it can be used again. In the meantime, soldiers will find it hard or outright impossible to share, say, vital digital maps, let alone synch their iPods or exchange pictures with their families.
Region Philbis
Reply Mon 8 Dec, 2008 04:07 pm
@High Seas,
butrflynet's link is perfectly safe.
reread her post -- she said not to click on links you receive in a facebook related e-mail...
High Seas
Reply Mon 8 Dec, 2008 04:18 pm
@Region Philbis,
Ah, that explains it, thanks - wondered about it, as I know she's always very careful with computer security.

Things are getting really NASTY out there, as you gathered Smile
Region Philbis
Reply Mon 8 Dec, 2008 06:14 pm
@High Seas,
i like to liken people who create and plant viruses to wanna-be terrorists...
High Seas
Reply Thu 11 Dec, 2008 05:47 pm
@Region Philbis,
Region Philbis wrote:

i like to liken people who create and plant viruses to wanna-be terrorists...

It's exactly equivalent to poisoning the water supply, and worms are worse than viruses, because they replicate. I don't know if the internet or water poisoners are considered terrorists under the law, though they should be.

At least those nuts who become suicide bombers die while making a political statement of some sort - but I really, really can't understand what the internet poisoners can possibly hope to accomplish, or how.
Reply Fri 12 Dec, 2008 04:49 am
@High Seas,
What they attempt to accomplish these days (because viruses, et. al used to be written mainly for fun by teenagers) is to get account info. It's for the ka-ching.
0 Replies

Related Topics

So I just joined Facebook.... - Discussion by DrewDad
YouTube Is Doomed - Discussion by Shapeless
Internet disinformation overload - Discussion by rosborne979
Participatory Democracy Online - Discussion by wandeljw
OpenDNS and net neutrality - Question by Butrflynet
Internet Explorer 8? - Question by Pitter
  1. Forums
  2. » Facebook Worm
Copyright © 2023 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 03/21/2023 at 11:06:36