Warning !!! Facebook worm "FBHOLE"

A new Facebook worm was spreading in the wild. The worm is doing nothing but posting on people's wall without user's intervention, I mean users doen't know that after clicking on this link the message will be posted on their friends wall, which is so weird. The message getting posted can be seen here...

The message posted by this worm is:

"try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=[RandomNumber]"

If you click on this type of posting on your wall, you will land on a page which merely looks like the page shown. This page says "If i don't, someone else do it." and also shows a fake script error. If you click any where on this page you will trigger a script which will post the same massage, shown above to your wall. The script is running in such a way that it follows your mouse button with a hidden iFrame in it. This iFrame is actually a "publish" button.

This worm is doing nothing except posting to your wall. But posting anything on user's wall without user's concern is wrong.

As of now the domain is blocked and it malicious activity is stopped. To read more about this follow:
http://www.f-secure.com/weblog/archives/00001955.html

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!

Zero Day - Microsoft Windows Aero, Remote Code Execution Vulnerabiltiy

Few hours ago, Microsoft released and advisory about a kernel memory error vulnerability, which could allow remote code execution on affected machine installed with Windows Aero. this vulnerability exists in recently released Microsoft's products, Windows 7 x64 and Windows Server 2008 R2 x64 and Itanium.

A remote attacker may exploit this by sending specially crafted image file via email attachment or could host on a web server as a part of website and luring users to open it. Once open, and parsed by windows kernel may cause parsing error in the Canonical Display Driver (cdd.dll) and execute arbitrary code on the user's system.

This is a" Zero Day Vulnerability", no patch is available with MS.

The only safeguard suggested by MS is:

• Disable Windows Aero. (not in use generally)
  

And from my side:

• Do not open image files received from untrusted sources, or received unexpectedly from trusted sources, or file received through instant messaging.
• Do not follow untrusted links and URLs received by any mean.
  

To read more, follow:
http://www.microsoft.com/technet/security/advisory/2028859.mspx
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3678
http://pcandmactech.blogspot.com/2009/12/irfanview-and-bsod.html
http://en.irfanview-forum.de/vb/showthread.php?5647-V4-25-bluescreen-with-Windows-7-cdd-dll-win32k-sys
http://tools.cisco.com/security/center/viewAlert.x?alertId=20527
http://securitytracker.com/alerts/2010/May/1023991.html

h@v3 @ $@f3 br0w$!n9 . . .

nj0y !!!

TwitterNET Builder, Botnet toolkit

TwitterNET Builder, Now any script kiddie can create their own botnet with help of this toolkit. David Jacoby, Kaspersky Lab Expert posted information about this. With the help of this toolkit, it has became very easy to create a malicious program in few clicks. Upon execution, victim's system will become node of botnet. This toolkit will create a profile on twitter which will be contacted by infected computer for receiving instructions and commands. To read more follow:
http://www.securelist.com/en/blog/2163/New_tool_allows_script_kiddies_to_build_botnets_via_Twitter

The detail description of this toolkit can be found at:
http://sunbeltblog.blogspot.com/2010/05/diy-twitter-botnet-creator.html

How to get protected from this?
Do not open unsolicited email attachments or attachments received unexpectedly from trusted sources.
Do not receive or execute files received from untrusted users through instant messaging.
Keep your anti-virus program up-to-date.

H@v3 @ $@f3 br0w$!n9 . . .

nj0y !!!

Beware of Security essentials 2010, A Rouge Anti-Virus

Rouge anti-virus, Security Essential 2010 is spreading now a days. Websense® Security Labs™ has discovered a new job search related malware spam outbreak. People are getting spam mails with a Resume(CV) attached as compressed file, asking them to review it.

Hopefully I didn't receive any sample of this but thought of sharing information with you. So that you will be aware of what is happening.

According to Websense, inside this zip file there is an executable which is Oficla bot. the detection can be seen here . . .
http://www.virustotal.com/analisis/db641f27e14f54a02229cd3d9da9ca0c844c819c1db00b38005c3154be099965-1273654511

Once this bot installed on your computer, it will change your wallpaper and threaten you that your computer is seriously infected. Which is something like:












After all this drama it downloads and install rouge anti-virus program with the name of "Security Essentials 2010". This rogue AV give you fake warnings like your system is infected with multiple serious vulnerabilities and Trojan, virus, worms etc . . .
This is not for the first time, In the past there were few rouge AV, here is one example of "Antivirus 7"

when there was a news of releasing Windows 7 and another one is with name "PersonalSecurity" which was like . . .

To read more, please refer the following links:
http://community.websense.com/blogs/securitylabs/archive/2010/05/12/new-malspam-please-review-my-cv-thank-you.aspx

hope for the best, and never caught in these scams. i have seen people lost money in the name of buying updates for this rouge AV or in the name of getting latest definitions of clearing off infection shown by rouge AV. Please beware of these scams.

H@v3 @ s@f3 br0w$!n9 . . . .

nj0y !!!

Windows XP Service Pack 2 Support will be ceased on July 13, 2010

There is sad news for home users and entrepreneurs who are using Microsoft Windows XP, SP1 and SP2 . . .

Microsoft decided to cease support for its legendary operating system "Microsoft Windows XP SP2" on July 13, 2010. This date was decided when Windows XP Service Pack 3 (SP3) was released on April 21, 2008.

To read more please follow the links:
http://support.microsoft.com/gp/lifean31
http://support.microsoft.com/gp/lifesupsps
http://www.theregister.co.uk/2010/05/14/winxp_sp2_support_cut_off_looms/

Microsoft will continue to provide paid support During the Extended Support phase for Windows XP and security updates at no additional charge. Microsoft will continue support for Windows XP Sp3 till 2014. Finally and officially Windows XP will retire on April 8, 2014.

Upgrade to XP SP3 and nj0y $@f3 br0w$!n9 . . .

nj0y !!!

Security Enhancement by Facebook

------------------------------------------------------------------------------------------------
Facebook is trying really hard to keep their users away from scammers and phishers. Here is an excerpt from Facebook blog: "At Facebook, we're constantly working on new ways to protect you from scams and help you keep your account and information secure," wrote Lev Popov.

One of the feature is (Login Notifications) which allows user to assign devices from where they use to access and send them notifications incase if their account is accessed from any other device.

Another one is (Blocking Suspicious Logins), if fb found login from other than the devices listed in trusted list, Fb ask additional verification questions for verifying the authenticity of user. One more step towards safe browsing . . .

To enable this, Account Settings->Account Security (YES) .

h@v3 @ n!c3 d@y & $@f3 br0w$!n9 . . .

nj0y !!!

Candid Camera Prank! [HQ] FB VIRUS !!!!!

Today i have encountered with an most amazing application named "Candid Camera Prank! [HQ]" on FB (one of social networking websites). This was starts with a post coming from your friend suggesting you like "this is without doubt the sexiest video ever! :P :P :P". Just Have a look what i got:

I thought of finding the logic behind this. When I clicked on this i landed on an application named "Candid Camera Prank! [HQ]". Once i clicked on this, i got message like thanks for subscribing to watch video click on continue. Once you click continue, it will ask you for some common FB options like:

* Publish on your wall, and

* Access your public data

Generally nobody bother about it and click on "Allow", this is so i did and this was my mistake. It will show you a nice photograph along with a sweet error something like "Your FLV player is not up-to-date and you need to download the latest version". I clicked yes and a good named "VLCSetup.exe" but ugly file downloaded on my desktop.

After doing all this efforts i was not able to see the video, then angrily and tiredly i returned back to my profile and i was shocked. What am i looking on my wall. The very same posting is published on all of my friends wall with my name as a suggestive comment to them.

Please remove the application by following the simple steps.

Goto your "Account"-> "Application Setting", find "WINAMP" in the list and click on 'X' to Remove application from you profile.

But any was this was a king of SPAM of i could say Scripting virus. The file downloaded which we discussed recently was actually a "Adware" but the detection was very poor. You may find the detection here:

https://www.virustotal.com/analisis/0c3a4fe16de867b200e4332
880b8a47ac04df441253105fdfcea422aeaf08430-1273925735

Websense posting about the same
http://securitylabs.websense.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook.aspx

This was all the issue of FB applications, how a naive user allows an application to do with their data whatever it wants. I think Web2.0 Awareness is prevention against these kind of attacks. This could happen on any social networking websites.

"h@v3 @ $@f3 br0w$!n9"

nj0y !!!