placement for flash
  • RSS Feed

  • Categories

  • Tags

  • Archive

  • Calendar
<<  March 2010  >>
MoTuWeThFrSaSu
22232425262728
1234567
891011121314
15161718192021
22232425262728
2930311234

  • Articles by Author

  • Recent posts

  • Blogroll

AIRC Home  
11/23/2008 10:47:00 PM

Facebook Worm Needs Your Help to Read CAPTCHAs!

by Bahaa Naamneh

After using Geocities as its main redirection point, Koobface worm is now taking advantage of Google’s Blogger to redirect Facebook users to malware websites.

In this latest attack, the worm sends messages to Facebook users urging them to watch a video which appears to be on Blogger. Victims of this attack will end up infecting their system with the latest Koobface worm from a fake YouTube website. In order to randomly create Blogger accounts to be used for the redirections to the malicious domains, this Koobface variant requires a little help from you, to read CAPTCHAs.

This attack uses tempting messages such as “You look so fine in this video”; here is how the messages may look like:

If the user complies with this message and clicks the proposed blogpost.com link, he will get redirected to a fake YouTube website. The fake YouTube will require the user to install an alleged “Adobe Flash Player Installer” (Flash_Update.exe) in order to be able to watch the video. Executing Flash_Update.exe will infect the system with Koobface worm.

The following details explain how this attack works:
Flash_Update.exe downloads a couple of executables: google_reg.exe and captcha.exe from aibcvienna.org, which appears to be a legitimate website compromised by the hackers, into the affected system. It’s important to note that the domain also includes other executables tailored for hi5 and Myspace users.

The file google_reg.exe attempts to create new Google accounts, where it needs the help of humans in reading the CAPTCHA. It uploads the CAPTCHA image to a server and waits for captcha.exe to download it. The captcha.exe drops a file named captcha5.dll into the Program Files directory and runs it using rundll32.exe, a system file used for executing .dll files. The dropped dll file displays a shutdown window which freezes the system and threatens the user to enter the characters seen in an image before a 3 minutes countdown timer ends. The image is in fact the CAPTCHA that google_reg.exe is waiting for to be deciphered by the victim.

 

Once entered, the characters will be sent back to the server where google_reg.exe is waiting for them to finish creating the blogspot.com account for later use of attacking other Facebook users.

Currently rated 4.6 by 5 people

  • Currently 4.6/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags: , ,

Hackers | Web-based Trojans

emailEmail   Digg thisDigg this   del.icio.usdel.icio.us   Slashdot It!Slashdot It!
Permalink | Comments (5)

Comments

11/26/2008

I've got the annoying worm on my comp...

I've tried Spybot, adware but they're unable to remove the 'worm'...

Anyone knows how to remove it? Thanks!

Vince

11/26/2008

I got the worm on my comp but I dunno how to remove it..

I've tried Adware, Spybot but it can't detect the malware...

Anybody knows how to remove the 'worm'? Thanks..

Vince

11/26/2008

I have a mac... Dos the worm work on that too? I hope it dosn't...

Laerke

12/4/2008

Pingback from treetech.com.pk

flash_update.exe virus being spread through Facebook messages | Business Online

treetech.com.pk

12/5/2008

someone on my machine downloaded this and asked me why it didn't work. The spoof youtube site is spelled yuotube.
I must have a newer version because the flash_update.exe installed a file called c:\windows\bolivar28.exe. The program was not running, but was set to run on reboot. A key was added to the registry:
hklm/software/microsoft/windows/currentversion/run
key called sysftray calls the file c:\windows\bolivar28.exe

Delete the file and remove the key...

rob

 
© Aladdin Knowledge Systems Ltd. 1985-2010. All rights reserved.