Round 4 for Conficker and Twitter attacked

[SFSxOI]

Round 1 was the .A varient, Round 2 was the .B varient, Round 3 was the .C varient (.A and .B upgrading to .C on April 1st 2009), and now it looks like another round of Conficker. The new updated version of the Conficker bot net software circulating now as of last week kicked into action. This new one comes complete with an antivirus scam and got busy over this last week end with sending out 40,000 spam messages from just one infected machine in a 12 hour period (the machine was tracked down by Symantec researchers). A full network infected with this version is estimated to be able to send out 400 Billion spam emails in a single day, and thats just one network. Can you imagine trillions of spam emails sent by multiple networks continually? This version also downloads and launches a fake antivirus program called 'Spyware Protect 2009' (that comes from a site in the Ukraine, but it is also being downloaded from other sites as well.) which claims to identify multiple problematic files and offers to remove them for the convenient fee of $49.95 and of course credit cards are happily accepted. This version will spread as a worm until its due to expire on May 3, 2009. It brings with it a malware package which can both send spam and harvest personal information. It affects networks and non-networked individual computers.

A University of Utah computer network has been infested with this new version, including some machines at its hospitals. Can you imagine what would happen if all of those patient records were compromised by this thing?

Heres some information from the Kaspersky's antivirus blog about the new Conficker thing > http://www.viruslist.com/en/weblog?weblogid=208187654

And on top of the Conficker thing now Twitter has been attacked (not by Conficker) as well and its been traced to a 17 year old kid in Brooklyn New York named Mikeyy Mooney who exploited the Twitter API using Javascript. The script is hosted at a separate site and takes advantage of credentials stored by a browser or other specialized clients to update a Twitter user's profile URL. Once a user viewed that profile the script will be called and for the person that viewed the profile their own profile would be modified in turn. Once modified the profile starts sending out spam on Twitter. This is the very first attack on Twitter and the first time its been hit by malware. According to Mikeyy, he did this 'out of boredom' and wanted to make people aware of security holes and that the spam was an unintended consequence. As soon as the first round of attacks was taken care of by the Twitter people, it started again with a completly different spam message using a script from a different web site, so I guess a new 'pandoras box' was opened and someone else caught on to the script thing and its spreading.

What is this world coming to? Nothing is safe any more I guess. They should drag this Mikeyy twerp out back and beat the crap out of him for doing this stuff. As for the Conficker creators, who ever they may be, I hope there is a special place in hell for them.

[jack]

the claim by malware authors that they want to expose security flaws is bull, they ought to be shot, period.

[pdwyer]

They've built this great network grid, they should use it for something productive! Suck up the CPU cycles! If people are too apathetic to get basic patches on their PC's they they probably don't care if their PC spare cycles are syphoned off to help research Cancer, look for aliens or whatever.

Spam though... what a waste

[Joakim Christiansen]

The script is hosted at a separate site and takes advantage of credentials stored by a browser or other specialized clients to update a Twitter user's profile URL. Once a user viewed that profile the script will be called and for the person that viewed the profile their own profile would be modified in turn. Once modified the profile starts sending out spam on Twitter.

Hehe, I once made a script like that and "attacked" a Norwegian social networking site (they even wrote several articles about it). What they mean with "takes advantage of credentials stored by a browser" is that he used the javascript to steal their cookies. Once he got the cookies of an active session he can "pretend" (steal their session) to be that user, and then he can modify their profile and whatever. Don't be mad on him for doing that, be mad on Twitter having such a lousy security!

[srod]

Spam though... what a waste

You mean those 'personal organ' enhancement e-mails were fake? Ah crap, now you tell me!

[White Eagle]

You mean those 'personal organ' enhancement e-mails were fake? Ah crap, now you tell me!

There is an image I didn't need in my mind before my morning coffee

[pdwyer]

Spam though... what a waste

You mean those 'personal organ' enhancement e-mails were fake? Ah crap, now you tell me!

who says they are fake?

[SFSxOI]

who says they are fake?

Only people with non-overly active imaginations.

[SFSxOI]

The script is hosted at a separate site and takes advantage of credentials stored by a browser or other specialized clients to update a Twitter user's profile URL. Once a user viewed that profile the script will be called and for the person that viewed the profile their own profile would be modified in turn. Once modified the profile starts sending out spam on Twitter.

Hehe, I once made a script like that and "attacked" a Norwegian social networking site (they even wrote several articles about it). What they mean with "takes advantage of credentials stored by a browser" is that he used the javascript to steal their cookies. Once he got the cookies of an active session he can "pretend" (steal their session) to be that user, and then he can modify their profile and whatever. Don't be mad on him for doing that, be mad on Twitter having such a lousy security!

No, we really should be mad at him, and want to drag the little piece of crap out back and beat the S*** out of him. Just because something is weak is no excuse to exploit it to the detriment of others. If he was really interested in exposing security flaws he should have contacted the twitter people and demonstrated the vunlerability to them and let them fix it. By doing it the way he did it, if his reason was truely to point out a flaw (which I seriously doubt), it was detrimental to the other twitter users and has released something into the wild that others have now and will continue to exploit in some way. His reasoning (if he truely wanted to point out a flaw, and again, I doubt it) was flawed, his reasoning was greedy, self centered, self indulgent, and destruction orientated, and did not take into account the thousands of others using Twitter. His reasoning would have been much more sound and creative and helpful had he just told the Twitter people about it and let them fix it, heck, he would have been a hero to the Twitter people. Instead, now hes just another little piece of crap exploiter with an excuse and has just happened to have gotten away with it for now. His reasoning was flawed, and stupid. The excuse he gave is the same basic reasoning excuse that criminals give "I wanted to do it so I did.", and that is definately a sociopathic reasoning and the reason we have an internet full of viruses, trojans, worms, Identity thiefs, scams, and con artists, now.

[jack]

well said SFSxOI

[srod]

No, we really should be mad at him, and want to drag the little piece of crap out back and beat the S*** out of him

Gets my vote.

[pdwyer]

Life would be dull if there weren't things like this to read about.

Some people on this planet are literally dying due to the greed of others...
Some people put pics on naked children on the net, their "weapons" no more harmfull that a PC and a digital camera.

I don't think Conficker ranks that high on my anger scale by comparison. A long way down my list of people who should have S*** beat out of them.

[JCV]

That twitter spam is common in friendster since 3 years ago. I once reported a guy whose profile once viewed will automatically send a spam to all your friend list and it can also gather email account of the viewer and possible to auto close your account too. I sent the decrypted js file to fs team and after a day they had a maintenance and patched it. I think many guys actually find ways to change the layout of there profile like adding effects, removing adds, changing logos, but because of the nature of using javascripts this happens.

[srod]

I don't think Conficker ranks that high on my anger scale by comparison. A long way down my list of people who should have S*** beat out of them.

Aye, I agree, must beat the Welsh up first!

(And before anyone gets shirty; I am part Welsh myself and so will be first in line for receiving a good kicking!)

[SFSxOI]

All the welsh people? or just you?