Fake Conflicker.B Infection Alert puts internet users at risk

February 19, 2010 by admin
Filed under Security News

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

Here is a typical message that has been spammed out by hackers:

conficker b malware Fake Conflicker.B Infection Alert puts internet users at risk

Subject: Conflicker.B Infection Alert
Attached file: open.zip

Message body:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards, Microsoft Windows Agent #2 (Hollis) Microsoft Windows Computer Safety Division

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

The wording is nearly identical to a similar attack I blogged about last October.

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

conficker b malware list Fake Conflicker.B Infection Alert puts internet users at risk

By Graham Cluley, Sophos

Tags: Conficker, Fake, graham cluley, malicious, Malware, microsoft, security, Sophos, SophosLabs, Spam, Virus, WARNING, windows, Worm

Ikee worm author gets job at iPhone app firm

November 26, 2009 by admin
Filed under Security News

1 Comment

The author of the world’s first iPhone worm must be feeling pretty chirpy today, because he’s managed to get himself a job as an iPhone application developer.

21-year-old Australian Ashley Towns, revealed that he was going to join mogeneration (What is it with companies who insist on being spelt in lowercase? Does anyone really think that looks cutting-edge anymore?) on his Twitter feed earlier today.

Tags: application developer, graham cluley, ikee, iPhone, Rick Astley, Sophos, Worm

First iPhone worm discovered – ikee changes wallpaper to Rick Astley photo

November 8, 2009 by admin
Filed under Security News

2 Comments

ikee 170 First iPhone worm discovered ikee changes wallpaper to Rick Astley photo

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although we have no confirmed reports, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm – written by a hacker calling themselves “ikex” – changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What’s clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, “alpine”. In fact, it would be a good idea if you didn’t use a dictionary word at all.

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

ikee iphone wallpaper First iPhone worm discovered ikee changes wallpaper to Rick Astley photo

SophosLabs is analysing the worm’s code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the “D” version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

ikee code First iPhone worm discovered ikee changes wallpaper to Rick Astley photo

Presently it appears that the worm does nothing more malicious than spread and change the infected user’s lock screen wallpaper. However, that doesn’t mean that attacks like this can be considered harmless.

Accessing someone else’s computing device and changing their data without permission is an offence in many countries – and just as with graffiti there is a cost involved in cleaning-up affected iPhones.
Other inquisitive hackers may also be tempted to experiment once they read about the world’s first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.

My prediction is that we may see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.

Who wrote the ikee iPhone worm?

The source code of the worm says at its start:

/ "ikee virus" by ikex
/ Revision: 10 (Variant D)

A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves “ike_x”.

According to ike_x’s user profile on the Whirlpool forum he is based in Sydney. Further searching on the internet reveals other pages seemingly related to ike_x of Sydney, using the name “Ash” or “Ashley Towns”. For instance, here is a MySpace page and this appears to be Ash/ikex on Twitter.

The worm’s author appears to have realised that people might be interested to learn why he wrote the worm, and posted this explanation inside the code:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?

There is a certain irony in the notion that a hacker who says he was trying to expose sloppy security by the owners of jailbroken iPhones has done such a bad job of covering his own tracks..

Source of image of affected iPhone: Batman from the Whirlpool forums.

By Graham Cluley, Sophos

Tags: Attacks, graham cluley, ikee, iPhone, Rick Astley, Sophos, SophosLabs, Worm

How to Remove All Types of Magania (W32_Gammima,Trojan-GameThief,Taterf,Win32.Inhoo) Trojan

October 13, 2009 by admin
Filed under Removal Tips,Tools and Videos

1 Comment

- Magania trojan Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

- Downloads/requests other files from Internet.

- Creates a startup registry entry.

Tags: autorun, Magania, Mal/EncPk-JS, microsoft, Removal, Removal Tools, TR/Crypt.ZPACK.Gen, Trojan, Trojan.Win32.Inhoo, Virus, virusexperts, Worm