Wednesday, October 21, 2009

W32/Koobface.worm spreads via Facebook and MySpace

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.
------------------------------------------------------------------------------------------------------------------------------

A new variant of Koobface.worm has been seen spreading. It creates a copy of itself in %WINDOWS% directory as:

freddy35.exe

(where %WINDOWS% is the Windows directory e.g. C:\Windows)

It connects to the following domains and IP to send informations and receive command through HTTP request.

1dns2[blocked].com
temp2[blocked].com
wm210[blocked].com
open21[blocked].com
er21[blocked].com
websrv[blocked].com
rserve[blocked].org
94.142.129.[blocked]

Issued commands includes downloading and installing new malware.

Downloaded malwares are identified as PWS-LDPinch, Generic Downloader.x and Puper.

The worm sends messages with a link like the one shown below, to FaceBook users.

Unsuspecting users may click the link which redirects to a page, a snapshot of which is as follows:

The displayed page contains an ActiveX control, which tells the user that their Flash Player is out of date. An attempt to update links to the Koobface malware file. At the time of testing this file was called "flash_update.exe"

Upon execution of the flash_update.exe file displays an error message but infacts drops and executes a

The file is a downloader and makes connections to the following domains:

y171108.com
aibcvienna.org
mediabspl.com

copy of itself from %WinDir%\bolivar28.exe

Upon execution, it downloads and opens an innocent picture(saved as %WinDir% \joke.gif) from the following web site:

img.123greetings.com

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:

ipluginu.cn
currentsession.net

The downloaded malwares further download other malwares.

The following files are added in %WinDir% folder:

%WinDir% \system32\splm\kbdsapi.dll
%WinDir% \system32\splm\lmfunit32.dll
%WinDir% \system32\splm\mcaserv32.dll
%WinDir% \system32\splm\ncsjapi32.exe
%WinDir%\system32\nScan\ecls.exe
%WinDir%\system32\nScan\ekrn.exe
%WinDir%\system32\nScan\ekrnAmon.dll
%WinDir%\system32\nScan\ekrnEmon.dll
%WinDir%\system32\nScan\ekrnEpfw.dll
%WinDir%\system32\nScan\ekrnScan.dll
%WinDir%\system32\nScan\em000_32.dat
%WinDir%\system32\nScan\em001_32.dat
%WinDir%\validate.inf

The following registry keys are added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"

Hosts file is modified to disable the compromised machine to access most of security web sites:

such as:

ar.atwola.com
my-etrust.com
trendmicro.com
norton.com
nai.com
sophos.com
etc

The following files could be created depending on the variant (the filepath is hardcoded):

C:\WINDOWS\fbtre6.exe
C:\WINDOWS\mstre6.exe
C:\WINDOWS\f49f4d98.dat
C:\WINDOWS\t49f4d98.dat
C:\WINDOWS\fmark2.dat
C:\WINDOWS\tmark2.dat

The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:

zzzping.com

Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.

Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message "Error installing Codec. Please contact support"

Symptoms -

Unexpected network connections to the previously mentioned domain

Method of Infection -

The worm spreads by fooling users into downloading and running it from links sent via Facebook and MySpace users.

Removal -

All Users:
Use specified engine and DAT files for detection and removal by your desktop Antivirus Program.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Aliases

Net-Worm.Win32.Koobface.b (Kaspersky)

Courtesy: McaFee.com

No comments:

Need for " INTERNET SECURITY "

INTERNET ..... has become a necessity for everyday life.The Internet is a unique medium with global impact, and within a relatively few number of years has become inextricably intertwined with the conduct of almost all human activity.
More >>

However, while using the Internet, along with the convenience and speed of access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet. Intruders do not need to enter an office or home, and may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create ...... more >>

Three -3 things that one must have to protect his/her PC from INTERNET Threats :
---------------------------------------------------------------------------------------------------------------------------------
These are :-

1) A Strong Firewall (eg. Zonealarm, Sygate etc.)

2) A Strong Anti-Virus (eg. McaFee, Kaspersky etc.)
&
3) A Strong Anti-Spyware/Malware.

STAY SAFE Online Guide
for FREE

Mistakes People Make that Lead to Security Breaches

Technological holes account for a great number of the successful break-ins, but people do their share, as well. Here are the SANS Institute's lists of silly things people do that enable attackers to succeed. read more ........

Setting Up Your F I R E W A L L : ---------------

Top 10 Most Commonly Used

Passwords To AVOID

Life these days has become largely dependent on passwords - whether we're checking our emails, transferring funds or shopping online, passwords have their part to play. We're constantly bombarded with horror stories of security breaches, fraud, and phishing sites. Users are consistently told that a strong password is essential these days to protect private data. Why is it, then, that users on websites opt for the same, consistent, insecure passwords time after time?

Search This Blog

-------------------------------------------------
DISCLAIMER: THIS SITE DOES NOT STORE ANY FILES ON ITS SERVER. WE ONLY INDEX AND LINK TO CONTENT PROVIDED BY OTHER SITES. ALL THE FILES ARE FROM INTERNET.

Unified Threat Management (UTM) Firewalls

Unified threat management (UTM) devices are the latest buzz in the security market. UTM devices are multifunction devices that combine many security applications -- firewall, VPN, intrusion prevention system (IPS), Web filtering and antivirus -- into a single hardware platform.

UTM firewalls offer significant management and cost advantages over single-purpose security products, but often require feature and functionality tradeoffs. Products dedicated to a single security application are typically more feature-rich and deliver higher performance.

Top 10 ---- Security Threats :
-----------------------------------

If you thought installing an anti-virus product was the end-all and be-all for your security, read on. For securing against virus is increasingly not going to be enough. There are other dangers lurking around with the Internet full of creepy crawlies.

With more than 217,000 various types of known threats and thousands more not yet identified, malware and adware is increasingly being released by professional and organized criminals now more than it has ever been. The following are the top security threats nowadays.

1.>> Password-stealing web sites
-------------------------------------
The number of password-stealing web sites are increasing every year using fake sign-in pages for popular online services such as eBay. More attacks that attempt to capture a user's ID and password by displaying a fake sign-in page, and increased targeting of popular online services such as eBay, will become more evident in coming days.

As evidenced by the phishing attacks that followed Hurricane Katrina, one can expect more attacks that take advantage of people's willingness to help others in need. In contrast, the number of attacks on ISPs are expected to decline while those aimed at the financial sector will remain steady.

2.>>Image spam on the rise
---------------------------------

The volume of spam, particularly bandwidth-eating image spam, is set to go up considerably. In November 2006, image spam accounted for up to 40 percent of the total spam received, compared to less than 10 per cent a year ago.
Image spam has been significantly increasing for the last few months and various kinds of spam, typically pump-and-dump stocks, pharmacy and degree spam, are now sent as images rather than text. Image spam is typically three times the size of text based spam, so it represents a significant increase in the bandwidth used by spam messages.

3.>> Video hackers on prowl
--------------------------------
The increasing popularity of video formats on social networking sites such as MySpace, YouTube and VideoCodeZone will attract malware writers seeking to easily permeate a wide network by targeting MPEG files as a means to distribute malicious code. Unlike situations involving email attachments, most users will open media files without hesitation.

Furthermore, as video is an easy-to-use format, functionality such as padding, pop-up ads and URL redirects become ideal tools of destruction for malware writers. In combination, these issues make malicious coders likely to achieve a high degree of effectiveness with media malware.

The W32/Realor worm, discovered in early November 2006, is a recent incident of media malware. The worm could launchmalicious web sites without user prompting, potentially exposing users to bots or password-stealers loaded onto these sites. Other media malware such as Exploit-WinAmpPLS could silently install spyware with very little user interaction.
As video-sharing networks on the web proliferate, the potential capture of a large audience will incite malware writers to exploit these channels for monetary gain.

4.>> More mobile attacks
----------------------------

Mobile phone attacks will become more prevalent as mobile devices become “smarter” and more connected than ever. Mobile threats will also grow because the platform convergence is happening fast. The use of smartphone technology has played a pivotal role in the threat's transition from multifunction, semi-stationary PCs to palm-sized "wearable" devices. With increased connectivity through BlueTooth, SMS, instant messaging, email, WiFi, USB, audio, video and Web, there are more possibilities for cross-device contamination.

This year saw efforts by mobile malware authors to achieve PC-to-phone and phone-to-PC infection vectors. The PC-to-phone vector was achieved with the creation of MSIL/Xrove.A, a .NET malware that can infect a smartphone via ActiveSync. Existing phone-to-PC vectors remain primitive in nature at this time, such as infecting via removable memory cards. However, the next stage will be achieved in 2007.

SMiShing, which involves taking the techniques of phishing by email and porting them to SMS (SMiShing, instead of phishing), is also expected to increase in prevalence. In August 2006, renowned antivirus & security vendor McAfee had received its first sample of a SMiShing attack with VBS/Eliles, a mass-mailing worm that also sends short message service (SMS) messages to mobile phones. By the end of September 2006, four variants of the worm had been discovered.

5.>> Adware will become mainstream
--------------------------------------------
Year 2006 saw an increase in commercial Potentially Unwanted Programmes (PUPs), and an even larger increase in related types of malicious Trojans, particularly keyloggers, password-stealers, bots and backdoors. Besides, misuse of commercial software by malware with remotely controlled deployment of adware, keyloggers and remote control software is on the rise.

However, despite the social, legal and technical challenges, there is so much commercial interest in advertising revenue models that global antivirus & security vendors expects to see more legitimate companies using or attempting to use advertising software in ways (hopefully) less objectionable to consumers than most current adware

6.>> ID theft and data loss to increase
--------------------------------------------
According to the U.S. Federal Trade Commission, approximately 10 million Americans are victims of identity fraud each year. At the root of these crimes is often computer theft, loss of backups, or compromised information systems.

While antivirus & security vendors expect the number of victims to remain relatively stable, company disclosures of lost or stolen data, increasing incidents of cyber thefts and hacking into retailer, processor and ATM systems and reports of stolen laptops that contain confidential data will make this one of the top public concerns.

The unauthorized transmission of information will become more of a risk for enterprises in the area of data loss and non-compliance. This includes loss of customer data, employee personal information and intellectual property from possible data leakage channels—applications, networks, and even physical channels, like USB devices, printers, fax and removable storage. There will be an increase in archival and encryption as the data loss prevention (DLP) market matures.

7.>> Bots all over
--------------------
Bots, or computer programmes that perform automated tasks, are on the rise, but will move away from Internet Relay Chat (IRC)-based communication mechanisms and towards less obtrusive ones. In the last few years, there has been an increasing interest within the virus-writing community in IRC threats. This was due to the power afforded by the IRC scripting language and the ease of coordinating infected machines from a chat-room type of structure.

“Mules” will also continue to be an important aspect in bot-related money making schemes. These are work-at-home type jobs which are offered through very professional-looking websites, through classified ads, and even through instant messaging (IM). These are a crucial part of the reason so many bots are able to be run from places around the globe.

In order to get merchandise (often to resell) or cash with stolen credit card credentials, the thieves have to go through more strict regulations if the goods are going to another country. To get around these regulations, they use mules within those originating countries

8.>> Parasitic malware coming back
------------------------------------------
Even through parasitic malware accounts for less than 10 percent of all malware (90 per cent of malware is static), it seems to be making a come back. Parasitic infectors are viruses that modify existing files on a disk, injecting code into the file where it resides.

When the user runs the infected file, the virus also runs. W32/Bacalid, W32/Polip and W32Detnat are three popular polymorphic parasitic file infectors identified in 2006 that have stealth capabilities and attempt to download Trojans from compromised web sites.

Also important to note is that 80 per cent of all malware is packed, encrypted, or obfuscated, in some attempt to disguise its malicious purpose. Examples of parasitic infectors that are obfuscated include w32/Bacalid and w32/Polip.

Antivirus & security vendors also tracked and monitored the payload deployed by W32/Kibik.a, a parasitic and zero-day exploit that includes rootkit heuristics, behavioural detection and IP blacklists that have been the talk (security) of the town in recent years, W32/Kibik.a makes an interesting attempt to survive in the competitive matrix of today.

From silent installation via a zero-day exploit, to silent residence and operations and virtually silent and innocent-looking Google search; W32/Kibik.a could well be the start of a new trend in the coming years in scalable remote controlled malware (a.k.a. botnet). It is no wonder that with its stealthy elements, few security vendors to date have detected or repaired W32/Kibik.a.

9.>> Rootkits to increase on 32-bit platforms
-----------------------------------------------------
The number of rootkits on 32-bit platforms will increase, but protection and remediation capabilities will increase as well. On 64-bit platforms, particularly Vista, malware trends are difficult to predict pending uptake rates for the 64-bit platform, but one can expect a reduction in kernel-mode rootkits, at least in the short-term, while malware authors invent new techniques designed to subvert the anti-virus patches.

Similarly, an increase can be expected in user-mode rootkits, and user-mode malware in general, or at least higher impact of 64-bit malware, as more advanced heuristic and behavioural techniques provided by most advanced security software is itself hindered by anti-virus patches.

10.>> Vulnerabilities on the rise
--------------------------------------
The number of disclosed vulnerabilities is expected to rise.Antivirus & security vendors expect the number Microsoft vulnerabilities to grow due to the increased use of fuzzers, which allow for large-scale testing of applications, and due to the bounty programme that rewards researchers for finding vulnerabilities.

Antivirus & security vendors has also noted a trend in zero-day attacks following Microsoft’s monthly patch cycle. Since the patches are issued only once per month, this encourages exploit writes to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure.

For updates on latest threats for 2008, click here.

----------------------------------------------------------------------

The Ultimate Stop for Free Internet Security www.netsecurity4free.blogspot.com