Posts tagged: Worm

Jan 06 2012

Ramnit Worm Targets Facebook, Over 45,000 Accounts Compromised

Ramnit Worm FacebookMuch has been written about the Ramnit worm and its transformation into a financial malware. And now, Seculert’s research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.

Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.

In August 2011, Trusteer reported that Ramnit went ‘financial’. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a “Hybrid creature” which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.

With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.

Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.

Aug 28 2011

Windows Remote Desktop Worm “Morto” Spreading

F-Secure Lab just found a new Internet worm, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP (Remote Desktop Protocol). Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.

Windows Remote Desktop Worm Morto

When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.

Windows Remote Desktop Worm Morto

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
…….
………..

Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt.

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net.

F-Secure Lab detected Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B.

Jan 09 2011

Facebook virus spreads via photo album chat messages

A new social networking worm in the vein of Koobface is currently doing the rounds.

Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.

The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.

Facebook Photo Virus

The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.

It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.

The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.

Sep 10 2010

Email Worm Spreading Like Wildfire – W32.Imsolk.B@mm

A fast-moving email worm that began spreading on Thursday has been able to affect hundreds of thousands of computers worldwide, anti-virus provider Symantec warned.

The email arrives with the subject “Here you have.” An executable screensaver that’s disguised as a PDF document then tries to send the same message to everyone listed in the recipient’s address book. The .scr file is a variation of the W32.Imsolk.A@mm worm Symantec discovered last month.

In addition to spreading through email, it can propagate through mapped drives, autorun and instant messenger. It also has the ability to disable various security programs.

The worm is a throwback to attacks not seen in almost a decade, when the Anna Kournikova and I Love You attacks wreaked havoc on email systems worldwide. The Here You Go worm appears to different in that the malicious payload is downloaded from a page on members.multimania.com, rather than being attached to the email. That could make efforts to eradicate the worm easier.

Then again, McAfee said multiple variants of the worm appear to be spreading, so it’s not yet clear that the malicious screensaver is hosted by a single source.

Source: The Register
More Info: New Round of Email Worm, “Here you have”

Sep 30 2009

Reddit Hit by XSS Worm

Reddit (reddit.com) is a social news website, and it’s much better than Digg or Slashdot. However, it got hit today by a XSS worm that was spreading via comments on the site.

It all started with a user called, suitably enough, xssfinder. His account has already been deleted. This user posted some test comments exploiting the fact that Reddit wasn’t filtering out JavaScript in certain instances when you were hovering your mouse over text.

When xssfinder got his script working, he tested it by posting one comment to a popular link called “Guy on a bike in New York ‘high fives’ people hailing cabs”.

Reddit XSS Attack

After this, things happened quickly.

People reading comments ended up sending massive amounts of new comments to Reddit threads.

Right now things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now.

Source: F-Secure Weblog