[Cialug] Security on social networking sites

Neal Daringer neal.daringer at gmail.com
Tue Mar 27 23:59:02 CDT 2007 

this is a fairly normal way of malware to get around. been happening for a
long long time. i remember seeing this method on early AOL. it spreads much
like any email virus. some poor victim gets infected and logs into flickr
then their account is hacked by the malware and the malware starts to send
out messages to everyone it can on trying to get it to download and run the
malware. i dont know why social networking sites just dont block external
links from being sent to a contact that hasnt allowed them to be sent to
them. i sure know i dont want any external links. i get stuff like this all
the time on myspace and am ready to delete my account because of it. grr

oh well its just malware. if your stupid enough to install it, i'll take
your money to get it off :P



On 3/28/07, Josh More <morej at alliancetechnologies.net> wrote:
>
> I had an interesting experience on flickr this morning, involving Windows
> malware.
> The short form is: "If someone leaves you a comment and a URL on flickr
> (or some other social site), and you do not know them, do NOT click on the
> link."
>
> Details, if you are interested in what to look at when *safely* tracing
> malware, are at
> http://journal.starmind.org/2007/03/27/be-careful-on-social-networking-sites/
> However, following the rule above, if you do not know me, you shouldn't
> click on the link, so the details are also included below.  As I hear more
> information from SANS and/or flickr, I will be updating my blog via the URL
> above.
>
>
> Details:
>
> I started my morning by uploading a set of photos to flickr. Almost
> immediately, I got a comment from a user that I did not recognize. By
> itself, that's not unusual. However, what follows triggered my "weirdness"
> alarms.
>
> The comment read as follows:
>
> "This is such a cool pic, good work! I Love viewing your stream. I
> Recently constructed a gift for all of my favorite flickr users, you were
> included, so i would be honored if you can accept it and tell me if you like
> it or not! Thankyou!"
>
> Then, there was a link. As it turns out, the link was to a windows
> executable, but it could just as easily have been to something harder to
> detect. What I did next is what saved me (or would have, had my system not
> been Linux which protected me anyway* from this attack).
>
> Since I didn't know the user, I checked out her profile. Interestingly,
> none of my photos were tagged as her favorites. Also, I was not listed as
> one of her contacts. So, if I wasn't someone she knew well enough to keep
> track of that way, why would she be offering me a "gift"?
>
> I poked a bit further, and found that the file behind the link was on a
> website having something to do with paintball. That's odd, but not
> necessarily a bad thing. However, as she did not have any photos about
> paintball or listed paintball as an interest, I became more suspicious.
> Also, the file was stored in
> http://site/calendar/ws/PhotoSeries3412459741.exe
>
> Those who are not in the industry might not know, but this means that it's
> located within the WebCalendar application, which is not a normal place to
> store files. Additionally, there have been security problems with older
> versions of this application, so it was highly likely that the site was
> hacked.
>
> I downloaded and scanned the executable, and it came back clean. But, to
> be safe, I decided to contact SANS (an excellent security group), and they
> helped me to track down the rest of it. It turns out that the exe file is a
> "trojan dropper". It connects to another site to download the nasty bits.
> That way, it can bypass antivirus and other security measures.
>
> SANS is contacting the site hosting the malware, and I will be contacting
> flickr. I suspect that flickr already knows, as they deleted the comment
> fairly quickly. However, they did not delete it from the RSS feed, which is
> how I read them. I will let flickr contact the user whose account was
> hacked.
>
>
>
>
> -Josh More, RHCE, CISSP, NCLP
> morej at alliancetechnologies.net
> 515-245-7701
>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20070328/9ea8bfd2/attachment.htm

More information about the Cialug mailing list