Two weeks after its first appearance, a new variant of the recent Facebook worm is spreading again. The worm propagates by sending out links of alleged video clips on what looks like a YouTube page to all the friends in the victim’s facebook account.  Following the spammed link will end up infecting your system with the worm.

The fake YouTube page of the video is designed in a way that makes it look as if it was uploaded by the person who sent the message.

Once this worm is run, it contacts a server in order to receive the content of the messages to be sent. The server supplies the worm with the subject of the spammed message, the body of the message, and links with obfuscated URLs pointing to the fake YouTube website.

The sent messages attemp to entice users into clicking on the spammed link using sentences such as:
• “Your ass looks not bad in this video”
• “Who and when made this video of you?!!!”
• “Nudity makes you beautiful. Who made this video?You look disgusting this video!”

The link leads to a fake YouTube page which then requires an update for the user’s Flash player in order to watch the video. Clicking on the button will end up downloading an executable that if executed, will infect  the victim’s system with the worm. According to VirusTotal, only 11 out of 36 antivirus products detect this variant of the worm.

The following are the symptoms of infection:
1. The worm copies itself as: c:\windows\fbtre9.exe
2. It also creates the following file: c:\windows\fmark2.dat
3. It creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"sysftray2" = "c:\windows\fbtre9.exe"
4. This worm also deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Microsoft has released its monthly security bulletin for August 2008 to address eleven vulnerabilities in Windows and Internet Explorer, six of them critical. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Following is a summary of the security updates released by Microsoft:

Critical

Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution
A vulnerability has been discovered in the Microsoft Image Color Management (ICM) system that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Cumulative Security Update for Internet Explorer
This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution
This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution
This security update resolves five privately reported vulnerabilities. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Important

Vulnerability in IPsec Policy Processing Could Allow Information Disclosure
This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would disclose information intended to be encrypted on the network.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerabilities in Event System Could Allow Remote Code Execution
This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Security Update for Outlook Express and Windows Mail
This security update resolves a privately reported vulnerability in Outlook Express and Windows Mail. The vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerability in Windows Messenger Could Allow Information Disclosure
This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Vulnerability in Microsoft Word Could Allow Remote Code Execution
This security update resolves a publicly reported vulnerability in Microsoft Word. This vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

A further research made on the recent cyberwarfare between Russia and Georgia comes to enforce our assumptions in our last blog post regarding the identity of the party behind the attacks against Georgia. The research speculates the fact that the series of cyber-attacks were carried out by the Russian government in parallel to conventional military operations. The article could be found at:
http://www.stratfor.com/analysis/georgia_russia_cyberwarfare_angle

Note: membership is required in order to view the above article.

The last several years has shown that political tensions are usually followed by or preceded by cyber-attacks conducted by cyber criminals attacking targets which seem to be affiliated with the opposing side. Sometimes, it could be argued that such attacks were part of the governmental efforts in the political scene.

The political conflict between Georgia and Russia that manifested itself in a military ground operation, has been accompanied by cyber-attacks against Georgian government websites which took place over the past week. Georgia and security experts have accused Russian hackers of launching large and sustained distributed and almost non-stop denial-of-service attacks on Georgian websites, including those of government ministries and the president’s website. The level of endorsement that these attacks have received from the Russian government (if any) is unknown, as such attacks can be traced to their source (the commands to the botnets) but the issuer of the commands is anonymous.

A statement released, using a replacement website hosted at Blogspot, by the Georgian Ministry of Foreign Affairs has says: "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs."

The Georgian parliament website, parliament.ge, was defaced and images comparing the Georgian president to Adolf Hitler have been placed on its front page.

These coordinated cyber attacks have already inflicted downtime on several government websites, and DDoS attacks are still launched against numerous other Georgian government and commercial websites.

There have been claims that the RBN (Russian Business Network cyber-crime organization) are behind the attacks. Apparently, this is the first time the RBN target a nation-state instead of a business. Nevertheless, these claims track the attack to its source (the command center issuing the attack commands), but the identity of the party (political or criminal) that commissioned these attacks is still a mystery. We suspect that as political tensions are finding new ways to be resolved/expressed, the channel of using cyber-attacks instead of, in conjunction with, or preemptive of military operations would grow.

Presumably, between 900 and 1,800 Facebook users have been infected by a new worm spreading since Wednesday through Facebook. This nasty worm aims to install malware with keylogger payload on victims’ PC’s.

Once this worm is run, it spreads by creating and sending spam messages to the infected users' friends via the Facebook website. The sent messages include titles such as:

The spam messages include a link to a random URL. The URL in fact points to a fake YouTube web page that shows a video player along with what looks like a standard browser message to update your Flash in order to watch the clip. Clicking on the button launches the worm installation, which, however, is proactively detected and blocked by eSafe.