facebook worm
Gadi Evron
ge at linuxbox.org
Thu Aug 7 04:44:37 UTC 2008
Hi all. You may want to be ready for a *possible* support lines flood
today.
Yesterday I discovered a fast-spreading facebook worm. It spreads by
sending messages to all your facebook friends, from your account, asking
them to click on a link in the .pl ccTLD.
This worm is somewhat similar to zlob, here is a link to a kaspersky
paper on a previous iteration of it, they call it koobface:
http://www.kaspersky.com/news?id=207575670
The worm collects spam subject lines from, and then sends the users
personal data to the following C&C:
zzzping.com
I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
mailing list was updated that the domain is no longer reachable. That was
very fast response time from DirectNIC, which we appreciate.
The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php
The facebook security team is working on this, and they are quite capable.
The security operations community has been doing analysis and
take-downs, but the worm seems to still be spreading.
All anti virus vendors have been notified, and detection (if not removal)
should be added within a few hours to a few days.
For now, while users may get infected, their information is safe (unless
the worm has a secondary contact C&C which I have not verified yet).
It seems like some users may have learned not to click on links in email,
but any other medium does not compute.
Gadi.
More information about the NANOG
mailing list