In the past hour a new application has begun spreading on Facebook which has found an exploit in the existing sharing system. Whatever you do, don’t click the link described below.
The system is pretty straight forward. It suggests that you click “VERIFY MY ACCOUNT” within a link which ultimately results in the user posting the same message to all their friends’ walls. The message typically resembles the following one:
In order to PREVENT SPAM, I ask that you VERIFY YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to start the process…
The result is that thousands of users have seen the message spreading to their profiles in the past hour or so. Our guess is that this message could reach hundreds of thousands of users before it’s shut down (unless Facebook’s security team is up right now). The bottom line is this: don’t click any of the links resembling the ones pictured below. Have you seen this spreading on your profile?
It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).
Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.
Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.
Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.
W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.
A typical email reads:
Subject: Permit for retirement
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
Attached file: Contract_05_07_2010.zip
Updated Over 290,000 people have in the last few days clicked on a link that is spreading virally across Facebook, claiming to point to a video of someone who died after sending a text message on their cellphone.
The links are being posted on innocent Facebook users’ walls by a rogue application. A typical message posted by the rogue application reads:
I am shocked!!! I'm NEVER texting AGAIN since I found this out. Video here: http://bit.ly/a37TaB - Worldwide scandal!
If you do make the mistake of clicking on the link then you are taken to the rogue Facebook application
The problem is that even though Facebook is warning users that they are giving the “I will never text again after seeing this” application permission to post to their wall (as well as access their personal information) many people are still go ahead and press “allow”.
Why should you ever have to grant an application such permissions in order to watch a video?
Sigh.. Sometimes you just feel like you’re hitting your head against a brick wall..
Sure enough – with the permission granted, the application begins to spread its links virally via your Facebook profile:
I'm Never Texting Again Since I Found This Out
<name> has seen a shocking video, which shows someone dying because of texting
Properly cleaning-up your account after you have given permission for the rogue application to access your Facebook account takes two steps. But I’ll throw in a third for good measure.
1. Remove the application
Firstly, visit your Application Settings on Facebook and click on the “X” to remove the app from your profile.
You will be asked to confirm if you really want to remove it. Obviously the correct answer is to go ahead and remove it.
2. Clean-up your wall
With the application gone, you now need to clean-up your own wall – and stop advertising the link (and rogue application) to your online friends. Hovering your mouse over the posts on your wall should display a “Remove” option which will allow you to sanitise the news feed you are sharing with others.
3. Get smart
There are only two things you need to do to clean-up your Facebook account, but I’d recommend you get yourself educated about internet threats too, so you’re wise to these sort of attacks in the future. If you’re regular user of Facebook, you should really join the Sophos page on Facebook to be kept informed of the latest security scares and attacks.
Yesterday we blogged about a new piece of Symbian malware, which we detected as SYMBOS_FLOCK.I. This malware targets users of older Series 60 devices.
Overall, the malware itself is very simple in its operation. It first prompts the user to install an application called ZvirOK 5.2!. The name here suggested there are previous versions of this malware in existence (that, or it took the malware writer at least 5 attempts to get it right). Alternatively, the malware author wanted us to think that this is a legitimate application, and added the version number to make it appear as such.
Another interesting fact here is that the word Zvirok (Зверёк) roughly translates from Russian as “small animal”, which can sometimes be used as a nickname—indicating that this malware is of Russian origin. However, the Symbian Installer package (the .SIS file) specified the language of the application as PRC Chinese, which leads to confusion from where this malware really came from.
After installation, the malware executes a very simple Python script which uses some of Nokia Python libraries to send an SMS containing the text mumym xxx joker90 to the number 7205. The number 7205 is what is known as an SMS Short Code, a special shortened phone number for SMS or MMS messages that is normally used for competitions and marketing and can often be quite expensive to use. The malware does not spread itself in any way.
The number of digits in SMS shortcodes varies from country to country – for example in the US it is normally 5 or 6 digits, whereas in the UK it is fixed at 5 digits and begins with either a 6 or 8. Unfortunately both China and Russia both use 4 digit SMS shortcodes – so there is no further hint here on the origin of this malware.
The last clue perhaps is in the SMS content itself. Its highly likely that the phrase Joker90 refers to a particular model of scooter from Honda. Perhaps this SMS shortcode is used to enter a competion to win one of these scooters. If that is the case, I’m leaning towards China as the source of this malware, as scooters are more popular in China than in Russia, generally speaking.
Regardless of the source however, this will not be the last of these types of malware that we see in the future. Creating these malware is fairly trivial, and there is also a modest amount of money to be made. It is doubtful that any major cybercriminal will be packing up their botnets and moving to mobile malware anytime soon, but it continues to be used as an introduction to crime for the attackers on the first steps of the cybercrime ladder.
Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon.
Over the past two weeks, several Twitter accounts were created for the sole purpose of tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allows an unauthorized user access to the infected machine. Interestingly, these backdoor programs are uploaded at either freewebtown.com or leadhoster.com, both free web hosting sites.
Cybercrime groups it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever huh?
Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter Search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?
One that I have seen crop up a lot, is appearing in the status updates of Facebook users with phrases like:
This horrific photo forced photographer to kill himself! http://tinyurl.com/VerySadPhoto
This horrific photo forced photographer to kill himself! http://tinyurl.com/HorriblePic
Clicking on links like these can take you to Facebook pages which names such as “Man Commits Suicide 3 Days After Taking This Photo”.
These Facebook pages force you to first “Like” them and then republish the link on your own Facebook page (advertising it to your online friends) before you eventually get to see the photograph.
Just ask yourself this – do you really want to recommend a page to your friends, before you know what lies behind it? For all you know, you could be passing on a link which will ultimately take your online pals to a phishing page or malware.
As it happens, the pages are lying in any case.
The photograph – of an emaciated young girl in Sudan – was taken in March 1993 by prize-winning South African photo-journalist Kevin Carter. Carter did kill himself – but it was over a year later in South Africa, not three days after the photo was taken as claimed by the Facebook links.
You can probably imagine, however, that people would easily agree to publish the link to all their friends – in their morbid interest to see the photo – and thus help it spread quickly.
In fact, it’s no surprise that links like these are spreading so quickly and virally across Facebook, when popular pages such as “I like your makeup…LOL JK, it looks like you got gangbanged by Crayola” (currently 1.7 million fans and counting) have republished it to all of their followers.
Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend.
Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link:
Messages seen being used by the spammers include:
"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
"This man takes a picture of himself EVERYDAY for 8 YEARS!!"
"The Prom Dress That Got This Girl Suspended From School."
"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"
Clicking on the links takes Facebook users to what appears to be a blank page with just the message “Click here to continue”.
However, clicking at any point of the page publishes the same message (via an invisible iFrame) to their own Facebook page, in a similar fashion to the “Fbhole” wormwe saw earlier this month.
A clickjacking worm spread quickly across Facebook earlier today, tricking users into posting it to their status updates.
The worm, which some have dubbed Fbhole because of the domain it points to, posts a message like the following:
try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=<random number>
Clicking on the link would display a fake error message that would trick you – through a clickjacking exploit – to invisibly push a button that would publish the same message to your own Facebook status update. We’ve seen clickjacking exploited by hackers before in attacks on social networks, for instance in the “Don’t click” attack seen on Twitter in early 2009.
READ MORE…. and see the video