facebook worm

Gadi Evron ge at linuxbox.org
Thu Aug 7 04:44:37 UTC 2008


Hi all. You may want to be ready for a *possible* support lines flood 
today.

Yesterday I discovered a fast-spreading facebook worm. It spreads by 
sending messages to all your facebook friends, from your account, asking 
them to click on a link in the .pl ccTLD.

This worm is somewhat similar to zlob, here is a link to a kaspersky 
paper on a previous iteration of it, they call it koobface:
http://www.kaspersky.com/news?id=207575670

The worm collects spam subject lines from, and then sends the users 
personal data to the following C&C:
zzzping.com

I spoke with DirectNIC last night and the Registrar Operations (reg-ops) 
mailing list was updated that the domain is no longer reachable. That was 
very fast response time from DirectNIC, which we appreciate.

The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php

The facebook security team is working on this, and they are quite capable. 
The security operations community has been doing analysis and 
take-downs, but the worm seems to still be spreading.

All anti virus vendors have been notified, and detection (if not removal) 
should be added within a few hours to a few days.

For now, while users may get infected, their information is safe (unless 
the worm has a secondary contact C&C which I have not verified yet).

It seems like some users may have learned not to click on links in email, 
but any other medium does not compute.

 	Gadi.




More information about the NANOG mailing list