[Cialug] Security on social networking sites

[Josh More]

I had an interesting experience on flickr this morning, involving Windows malware.
The short form is: “If someone leaves you a comment and a URL on flickr (or some other social site), and you do not know them, do NOT click on the link.”

Details, if you are interested in what to look at when *safely* tracing malware, are at http://journal.starmind.org/2007/03/27/be-careful-on-social-networking-sites/
However, following the rule above, if you do not know me, you shouldn't click on the link, so the details are also included below.  As I hear more information from SANS and/or flickr, I will be updating my blog via the URL above.


Details:

I started my morning by uploading a set of photos to flickr. Almost immediately, I got a comment from a user that I did not recognize. By itself, that’s not unusual. However, what follows triggered my “weirdness” alarms.

The comment read as follows:

“This is such a cool pic, good work! I Love viewing your stream. I Recently constructed a gift for all of my favorite flickr users, you were included, so i would be honored if you can accept it and tell me if you like it or not! Thankyou!”

Then, there was a link. As it turns out, the link was to a windows executable, but it could just as easily have been to something harder to detect. What I did next is what saved me (or would have, had my system not been Linux which protected me anyway* from this attack).

Since I didn’t know the user, I checked out her profile. Interestingly, none of my photos were tagged as her favorites. Also, I was not listed as one of her contacts. So, if I wasn’t someone she knew well enough to keep track of that way, why would she be offering me a “gift”?

I poked a bit further, and found that the file behind the link was on a website having something to do with paintball. That’s odd, but not necessarily a bad thing. However, as she did not have any photos about paintball or listed paintball as an interest, I became more suspicious. Also, the file was stored in http://site/calendar/ws/PhotoSeries3412459741.exe

Those who are not in the industry might not know, but this means that it’s located within the WebCalendar application, which is not a normal place to store files. Additionally, there have been security problems with older versions of this application, so it was highly likely that the site was hacked.

I downloaded and scanned the executable, and it came back clean. But, to be safe, I decided to contact SANS (an excellent security group), and they helped me to track down the rest of it. It turns out that the exe file is a “trojan dropper”. It connects to another site to download the nasty bits. That way, it can bypass antivirus and other security measures.

SANS is contacting the site hosting the malware, and I will be contacting flickr. I suspect that flickr already knows, as they deleted the comment fairly quickly. However, they did not delete it from the RSS feed, which is how I read them. I will let flickr contact the user whose account was hacked.




-Josh More, RHCE, CISSP, NCLP 
 morej at alliancetechnologies.net 
 515-245-7701