Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: WEEKLY REVIEW
Social Networks SOS: Worm Week in Review
Don’t chat with worms as you would do with your friend
As some of the fastest-growing communities in the cyberspace, social networks are also the favorite playground for malware distributors. One of the most targeted networks of its kind is Facebook, the keeper of a huge database of personal information acting like a magnet to cyber-criminals.
The infamous Koobface worm made a comeback as Win32.Worm.Koobface.AOJ. Once installed on the local machine, the worm looks for cookies belonging to well-known social networks, such as Facebook®, Twitter®, Hi5TM, Friendster® and MySpaceTM, among others. However, there's more in Koobface than the eye meets: each new iteration of the worm brings additional surprises to build on its previous features: CAPTCHA breakers, locally-installed HTTP servers, keylogger and ftp file uploader components, as well as a rogue DNS changer and an advertisement pusher.
In order to spread from one infected account to another, Win32.Worm.Koobface.AOJ sends messages on the behalf of the compromised users to all their friends. Since Facebook® is extremely restrictive with large numbers of messages originating from the same account in a short time span, the worm forces the infected user to solve the CAPTCHA dialog for it. After the CAPTCHA has been successfully "defeated", it would post a link to a fake YoutubeTM video concealed with a URL shortening service (usually bit.ly). Unwary users clicking on the malicious link will subsequently asked to install a codec, which ultimately turns out to be the very downloader that drops, installs and "configures" the Koobface worm.
The Koobface family is one of the most advanced e-threats related to social networks. Its ability to compromise a large choice of social networks and its extremely advanced infection mechanisms makes it the ultimate war machine ready to siege your social network accounts.
Win32.Worm.Prolaco.G is this week's second contender to ruining your online experience. Unlike the Koobface worm, it does not rely on social networks to spread, but uses fake Hi5TM friend requests to lure users into running it locally. Under different circumstances, the e-threat may also pose as GoogleTM job applications feedback and fake Hallmark e-cards. This network-aware worm is extremely infectious: not only that it attempts to spread its code locally, but it also uses a mass-mailer component that harvests e-mail addresses from the local computer and spams its files outside the local network.
Given the fact that some e-mail providers do not allow executable file formats to be attached to messages in order to avoid voluntary attempts at infecting the recipients, the worm is conveniently placed in a zip archive called either PostCard.zip or InvitationCard.zip
As unwary users open the archive, they are presented with a double-extension executable file called either document.jpg.exe or invitation.chm.exe (depending on the spam campaign). If run, the worm would copy itself to the Windows System32 folder and would also drop some of the above-mentioned e-mail templates to the temporary folder (from where they will be spammed out to the local list of contacts). Win32.Worm.Prolaco.G adds a new entry to the Windows Registry in order to automatically launch itself upon every Windows startup.
The worm is more than a simple spamming tool, though. Its ultimate destination is the installation of a remote access tool that allows an attacker to seize control over the infected machine and dispose of the stored data at will.
In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
Powered by