A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday.
"Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system."
(Credit:
CNET Networks)
"It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning."
Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly.
Later on Thursday, the tweets started appearing again after someone figured out a way around Twitter's fix, said Grossman.
Basically, the clickjacking page with the "Don't Click" button on it has an invisible frame with a Twitter status update button superimposed over it, he said. Twitter's original fix wiped a page clean if it detected a frame on its pages, but then someone circumvented that and Twitter was forced to come up with another fix, according to Grossman.
The clickjacking is likely a harmless experiment, but it could be used for malicious purposes in the future, Grossman said.
Firefox users can download a no-script extension to protect against clickjacking but current versions of Internet Explorer do not offer protection, although IE 8 will, he said.
This graph shows how quickly the "Don't Click" tweets spread across Twitter.
(Credit: Sunlight Labs)Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.
Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.
"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.
The clickjacking appeared to be harmless and just propagated itself, according to a post on the Sunlight Labs blog.
The code "creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it). There's not a bit of JavaScript involved. The only JavaScript on the page is their Google Analytics code," the Sunlight Labs post says.
This message could lead you to the Koobface virus, say security experts.
(Credit: McAfee Avert Labs)A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social engineering attack may be used again, say experts.
Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.
Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites.
After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe.
A new mass-mailing virus targeting Facebook users directs victims to a site asking to download a Trojan masked as an Adobe Flash update.
(Credit: McAfee Avert Labs)Schmugar said the prompt for a new player should be a warning. "The messages you tend to get from these sites don't look quite right." For instance, IE will tell you where the update is coming from, and usually it's not an Adobe site.
If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN, or Live.com may be hijacked to other, lesser-known search sites.
Schmugar said this version of Koobface includes a bot-like component that could install other malicious apps at a later time.
Facebook's Schnitt said, "Only a very small percentage of Facebook users have been affected and we're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages, and coordinating with third parties to remove redirects to malicious content elsewhere on the Web."
Facebook has posted instructions on how to remove the infection.
McAfee's Schmugar said this attack is similar to e-mail attacks 10 years ago in that Koobface is using infected friends lists, reminiscent of early mass-mailing worms. As was the recommendation then, he advises users not to open any unexpected e-mail attachments, even if they are from someone you know.
On Sunday, I had an e-mail alert about someone writing on my Facebook wall--a college acquaintance with whom I hadn't spoken in quite some time. As it turns out, I was a victim of "wall spam," a recent phenomenon on Facebook in which automated spam posts show up on members' message walls. It's similar to a wave of profile spam that swept News Corp.'s MySpace a few years ago.
The message in question read, "Some thinks you are special and has a hot^crush on you. Find out who it could be!! ;)" with a link to a Flash file claiming to be hosted on the imageshack.us domain.
But by the time I navigated to my Facebook profile to get rid of the spammy (and possibly virus-ridden) message--within an hour or two of the notification showing up in the first place--the wall post was gone. This means one of either two things: someone else saw the message on my profile and flagged it, or Facebook is actively policing the site to keep it under control, probably by searching for duplicates of a known spam message.
Of course, an hour or two is still a big enough frame of time for people to click on the link and get their computers loaded with some nasty new malware.
I've asked Facebook for comment on exactly what their strategy is and whether any members' login credentials are getting compromised by this spam or virus. I'll update when I hear back.
"Wall spam" rose to notoriety earlier this month, when members started noticing the phenomenon, and security firms started flagging worms that were spreading via Facebook members' walls and installing malware when a link in the message was clicked. The company has recommended antivirus fixes and says it's acting fast.
The Silicon Alley Insider reported earlier this month that Facebook had been deactivating links in identified spam posts; removing the posts entirely is a more aggressive measure.
"If we get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, we check it out and fix it as quickly as possible," Facebook security chair Max Kelly wrote several weeks ago on the company blog in response to another virus. "In fact, we appreciate it when help comes our way from the many security experts and organizations out there."
Say cheese...not.
Best Buy is warning customers who purchased its Insignia 10.4-inch Digital Picture Frames that their device may be harboring a virus, according an advisory posted on its Web site over the weekend.
Insignia digital frames, with model number NS-DPF10A, may be infected with the virus, Best Buy states in its posting. The company is asking users to contact its Insignia customer care number, 877-467-4289, to determine whether their digital picture frame is infected and how to troubleshoot the virus that can travel through the USB cord and infect a user's PC.
Best Buy learned of the problem in the first week of January, after receiving several customer complaints, said company spokeswoman Nissa French. It took a couple weeks for the company to ascertain the problem, which it attributes to a virus that was loaded onto the devices during the manufacturing process.
(Credit:
Insignia)
Best Buy, which sells the picture frames under its private label Insignia, has since pulled all remaining 10.4-inch Insignia picture frames and inventory from its shelves and Web site, and has discontinued the product's production. No recall, however, has been issued.
In the meantime, Best Buy is contacting all users who purchased the picture frames to warn them of the virus and determine whether their device has been infected, French said. She added that not all of the 10.4-inch picture frames are harboring the virus.
Users who connect their Insignia picture frame to a Windows based PC may be at risk, but no other platforms are affected, she noted.
And because the virus has been in existence for awhile, users' antivirus software may help inoculate the virus from the digital picture frame, she noted. Cameras and USB flash drives are also not affected.
Best Buy's digital picture frame virus is among a number of other holiday devices that have hit the scene with some funky security issues.
French, meanwhile, is checking into the number of users who purchased the Insignia 10.4-inch picture frame, as well as the name and type of virus that is loaded onto the device. Stay tuned...
Avain flu on Google Earth
(Credit: Ohio State University)Biomedical researchers wanted to get a good look at the avian flu virus. And they did not turn to a super microscope. They used Google Earth instead. With Keyhole Markup Language on Google Earth scientists were able to trace the course of the disease over the past decade.
The Google Earth project animates the spread of avian flu virus. In addition the data contains information on all known strains of the evolving flu virus plus all its host organisms. So far avian flu has not proven highly contagious among humans with fewer than 300 known cases worldwide. However, medical research is watching the virus's spread and evolution.
To check out the virus virtually, you need Google Earth downloaded. Then copy this link into your browser.
Nearly every security vendor offers a free virus scan on its Web site, but it's not always clear what they are, how they work, or why you might want to use them in addition to or instead of downloadable security software.
What are online virus scans?
The most common online virus scans are hosted on security companies' Web sites and use ActiveX technology to scan your computer, flagging any files that show up in the company's spyware or virus definitions.
Exact methodologies vary from vendor to vendor, as does coverage. Panda ActiveScan claims it detects rootkits. Kaspersky updates its definitions hourly; others once a day. Some, such as F-Secure, require Internet Explorers, while others, such as Trend Micro, also support Firefox.
When should you use online virus scans?
Online scans are best used for sniffing out low-level threats that don't impede Internet access. They usefully offer a second opinion while conveniently skipping the installation steps of downloaded programs, and are usually compatible with security software already installed on your PC. If you're concerned about higher-level threats, be sure to read these techniques for removing a Trojan horse.
The disadvantages of online virus scans
Most scans are just malware detectors that won't remove pernicious software unless you purchase the product. That's not necessarily a drawback if you're open to new removal software; the online scans test-drive the product's efficacy. (BitDefender is an exception, offering gratis removal services in addition to a free scan.)
You'll also still want to allot a good chunk of time to the scans--deep examinations can take hours.
Popular scans
Some of the better-known online scans include:
-BitDefender (free removal)
- prev
- 1
- next
