[Cialug] Security on social networking sites
Josh More
morej at alliancetechnologies.net
Wed Mar 28 08:08:31 CDT 2007
Yes, the technique has been around for ages. What's different today is
that the social sites have published APIs, so that the distribution of
malware is far more efficient. That deepens the penetration of the
attack, as they can automate the delivery to a greater extent.
It's a classic example of gluing security on afterwards. Flickr has
some great security concepts in their API, but it's another of those
"hard outside, soft inside" models, where once you get in, you can do
anything you wish. I would expect that other sites that have had to
scale more rapidly than expected (facebook, myspace, etc) are worse.
Other web-sites that are older and more established (eBay, amazon)
should be better, but I've not seen any measurements of those.
-Josh More, RHCE, CISSP, NCLP
morej at alliancetechnologies.net
515-245-7701
>>> "Neal Daringer" <neal.daringer at gmail.com> 03/27/07 11:59 PM >>>
this is a fairly normal way of malware to get around. been happening
for a
long long time. i remember seeing this method on early AOL. it spreads
much
like any email virus. some poor victim gets infected and logs into
flickr
then their account is hacked by the malware and the malware starts to
send
out messages to everyone it can on trying to get it to download and run
the
malware. i dont know why social networking sites just dont block
external
links from being sent to a contact that hasnt allowed them to be sent
to
them. i sure know i dont want any external links. i get stuff like this
all
the time on myspace and am ready to delete my account because of it.
grr
oh well its just malware. if your stupid enough to install it, i'll
take
your money to get it off :P
On 3/28/07, Josh More <morej at alliancetechnologies.net> wrote:
>
> I had an interesting experience on flickr this morning, involving
Windows
> malware.
> The short form is: "If someone leaves you a comment and a URL on
flickr
> (or some other social site), and you do not know them, do NOT click
on the
> link."
>
> Details, if you are interested in what to look at when *safely*
tracing
> malware, are at
> http://journal.starmind.org/2007/03/27/be- careful- on- social-
networking- sites/
> However, following the rule above, if you do not know me, you
shouldn't
> click on the link, so the details are also included below. As I hear
more
> information from SANS and/or flickr, I will be updating my blog via
the URL
> above.
>
>
> Details:
>
> I started my morning by uploading a set of photos to flickr. Almost
> immediately, I got a comment from a user that I did not recognize.
By
> itself, that's not unusual. However, what follows triggered my
"weirdness"
> alarms.
>
> The comment read as follows:
>
> "This is such a cool pic, good work! I Love viewing your stream. I
> Recently constructed a gift for all of my favorite flickr users, you
were
> included, so i would be honored if you can accept it and tell me if
you like
> it or not! Thankyou!"
>
> Then, there was a link. As it turns out, the link was to a windows
> executable, but it could just as easily have been to something harder
to
> detect. What I did next is what saved me (or would have, had my
system not
> been Linux which protected me anyway* from this attack).
>
> Since I didn't know the user, I checked out her profile.
Interestingly,
> none of my photos were tagged as her favorites. Also, I was not
listed as
> one of her contacts. So, if I wasn't someone she knew well enough to
keep
> track of that way, why would she be offering me a "gift"?
>
> I poked a bit further, and found that the file behind the link was on
a
> website having something to do with paintball. That's odd, but not
> necessarily a bad thing. However, as she did not have any photos
about
> paintball or listed paintball as an interest, I became more
suspicious.
> Also, the file was stored in
> http://site/calendar/ws/PhotoSeries3412459741.exe
>
> Those who are not in the industry might not know, but this means that
it's
> located within the WebCalendar application, which is not a normal
place to
> store files. Additionally, there have been security problems with
older
> versions of this application, so it was highly likely that the site
was
> hacked.
>
> I downloaded and scanned the executable, and it came back clean. But,
to
> be safe, I decided to contact SANS (an excellent security group), and
they
> helped me to track down the rest of it. It turns out that the exe
file is a
> "trojan dropper". It connects to another site to download the nasty
bits.
> That way, it can bypass antivirus and other security measures.
>
> SANS is contacting the site hosting the malware, and I will be
contacting
> flickr. I suspect that flickr already knows, as they deleted the
comment
> fairly quickly. However, they did not delete it from the RSS feed,
which is
> how I read them. I will let flickr contact the user whose account
was
> hacked.
>
>
>
>
> - Josh More, RHCE, CISSP, NCLP
> morej at alliancetechnologies.net
> 515- 245- 7701
>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>
More information about the Cialug
mailing list