Conficker Time Bomb Targets Southwest Airlines, Others This March
Sophos Security is warning that the Conficker/Downadup worm (“Conficker worm”) is targeting multiple domains — including Southwest airlines — that could end up causing Denial of Service (DoS) attacks and temporary disruptions. The Conficker worm has been kicking around since last year and usually spreads via a) removable storage devices such as USB drives and b) network sharing. It exploits a Windows vulnerability that was patched by Microsoft last year.According to a blog entry by Mike Wood of SophosLabs Canada, those computers infected with the Conficker worm are programmed to contact wnsux.com, which will redirect visitors to the main Southwest.com site on March 13. (Source: sophos.com) Conficker and Southwest: Why Tango?
The problem with a legitimate site like Southwest.com making it onto Conficker’s radar? Wood gives two reasons: without proper investigation, Southwest may end up on a blocklist, and users will be prevented from accessing their services. In addition, millions of infected machines contacting the domain on the 13th may overload the site and shut it down. (Source: cnet.com). Wood says the worm is targeting about 7,750 domains of which nearly 3,900 are active, but only resolve to 42 unique IP addresses. Of those, only 28 are involved in a covert operation of ISPs and others trying to thwart Conficker/Downadup by pre-registering domains. The vast majority of those 28 domains are currently up for sale.Key Sites Targeted By Conficker/DownadupKey sites listed by Wood whose visitors may see a disruption in service include: jogli.com — Big Web Great Music — March 8wnsux.com — Southwest Airlines — March 13qhflh.com — Women’s Net in Qinghai Province — March 18
praat.org — Doing phonetics by computer — March 31
Other less frequented sites of interest that appeared on the list include ‘The Tennesse Dogue De Bordeaux’ dog breeders site (tnddb.com — March 14) and the ‘Double Super Secret Message Board’ site (dssmb.com — March 11). (Source: sophos.com). Other less frequented sites of interest that appeared on the list include ‘The Tennesse Dogue De Bordeaux’ dog breeders site (tnddb.com — March 14) and the ‘Double Super Secret Message Board’ site (dssmb.com — March 11). (Source: sophos.com).
Wood contacted the owners of the domains to draw their attention to the problem, and thankfully Southwest Airlines has already taken action to prevent the attacks. Solutions for network administrators to combat the problem were offered in the post by Wood from SophosLabs Canada.
If you haven’t done so already, make sure you apply the patch from Microsoft to prevent your computer from being exploited. See “Cleaning Systems of Conficker” at the bottom of the page.Visit Bill’s Links and More for more great tips, just like this one!This entire article and links is available at the Info Packs Newsletter site.
Koobface, Other Worms Target Facebook Friends (NewsFactor)
Posted on Thu Mar 5, 2009 11:31AM EST
Beware, a nasty bug is already at work on Facebook!
As Facebook works to make itself more relevant and timely for its growing member base with a profile page makeover, attackers seem to be working overtime to steal the identities of the friends, fans and brands that connect though the social-networking site.Indeed, Facebook has seen five different security threats in the past week. According to Trend Micro, four new hoax applications are attempting to trick members into divulging their usernames and passwords. And a new variant of the Koobface worm is running wild on the site, installing malware on the computers of victims who click on a link to a fake YouTube video.The Koobface worm is dangerous. It can be dropped by other malware and downloaded unknowingly by a user when visiting malicious Web sites, Trend Micro reports. When attackers execute the malware, it searches for cookies created by online social networks. The latest variant is targeting Facebook, but earlier variants have also plagued MySpace.Koobface’s Wicked AgendaOnce Koobface finds the social-networking cookies, it makes a DNS query to check IP addresses that correspond to remote domains. Trend Micro explains that those servers can send and receive information about the affected machine. Once connected, the malicious user can remotely perform commands on the victim’s machine.
“Once cookies related to the monitored social-networking Web sites are located, it connects to these Web sites using the user log-in session stored in the cookies. It then navigates through pages to search for the user’s friends. If a friend has been located, it sends an HTTP POST request to the server,” Trend Micro reports.
Ultimately, the worm’s agenda is to transform the victim’s computer into a zombie and form botnets for malicious purposes. Koobface attempts to do this by composing a message and sending it to the user’s friends. The message contains a link to a Web site where a copy of the worm can be downloaded by unsuspecting friends. And the cycle repeats itself.
Read up on how to protect yourself by accessing the rest of this article on Yahoo Tech.
— Very IMPORTANT UPDATE on March 11, 2009 —
by Bill Lindner on 20090311 @ 12:37AM ESTThe frightening Conficker worm is just getting bigger and meaner all the time. W32.Downadup.C, a third variant of the Conficker/Downadup worm, is reportedly being pushed out to systems that are already infected.Analysis of the third variant of the worm by Symantec is still in the early stages, but their initial research found a couple of new attributes — one of which includes targeting antivirus software and security tools with the intention of disabling them. (Source: symantec.com)