Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

facebook worm

  

 
NANOG users RSS feed   Index | Next | Previous | View Threaded


ge at linuxbox

Aug 6, 2008, 9:44 PM

Post #1 of 14 (1116 views)
Permalink
facebook worm
Hi all. You may want to be ready for a *possible* support lines flood
today.

Yesterday I discovered a fast-spreading facebook worm. It spreads by
sending messages to all your facebook friends, from your account, asking
them to click on a link in the .pl ccTLD.

This worm is somewhat similar to zlob, here is a link to a kaspersky
paper on a previous iteration of it, they call it koobface:
http://www.kaspersky.com/news?id=207575670

The worm collects spam subject lines from, and then sends the users
personal data to the following C&C:
zzzping.com

I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
mailing list was updated that the domain is no longer reachable. That was
very fast response time from DirectNIC, which we appreciate.

The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php

The facebook security team is working on this, and they are quite capable.
The security operations community has been doing analysis and
take-downs, but the worm seems to still be spreading.

All anti virus vendors have been notified, and detection (if not removal)
should be added within a few hours to a few days.

For now, while users may get infected, their information is safe (unless
the worm has a secondary contact C&C which I have not verified yet).

It seems like some users may have learned not to click on links in email,
but any other medium does not compute.

Gadi.


pauldotwall at gmail

Aug 7, 2008, 4:56 PM

Post #2 of 14 (1053 views)
Permalink
Re: facebook worm [In reply to]
Gadi,

Please take a few moments to reflect on:

http://www.nanog.org/endsystem.html

I'd appreciate it if you'd try and keep future off-topic postings like
this to a minimum, as it makes the list difficult to wade through to
get to what matters.

Regards,
Paul (not currently MLC, though I promise to put you in your place
once the SC affords me the privlege :)

On Thu, Aug 7, 2008 at 12:44 AM, Gadi Evron <ge [at] linuxbox> wrote:
> Hi all. You may want to be ready for a *possible* support lines flood today.
>
> Yesterday I discovered a fast-spreading facebook worm. It spreads by sending
> messages to all your facebook friends, from your account, asking them to
> click on a link in the .pl ccTLD.
>
> This worm is somewhat similar to zlob, here is a link to a kaspersky paper
> on a previous iteration of it, they call it koobface:
> http://www.kaspersky.com/news?id=207575670
>
> The worm collects spam subject lines from, and then sends the users personal
> data to the following C&C:
> zzzping.com
>
> I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
> mailing list was updated that the domain is no longer reachable. That was
> very fast response time from DirectNIC, which we appreciate.
>
> The worm is still fast-spreading, watch the statistics as they fly:
> http://www.d9.pl/system/stats.php
>
> The facebook security team is working on this, and they are quite capable.
> The security operations community has been doing analysis and take-downs,
> but the worm seems to still be spreading.
>
> All anti virus vendors have been notified, and detection (if not removal)
> should be added within a few hours to a few days.
>
> For now, while users may get infected, their information is safe (unless the
> worm has a secondary contact C&C which I have not verified yet).
>
> It seems like some users may have learned not to click on links in email,
> but any other medium does not compute.
>
> Gadi.
>
>


ge at linuxbox

Aug 7, 2008, 6:35 PM

Post #3 of 14 (1056 views)
Permalink
Re: facebook worm [In reply to]
[top-posting]

Now that this worm has been somewhat balked, I'd like to thank the
membership for your patience with this off-topic post. I realize it is
probably as annoying to some as it was useful to others.

My thinking was that on the rare occasion when we can anticipate
*possible* and *serious* floods and bottle-necks at ISP tech-support
lines, across multiple providers and regions, we should share that
information. NANOG remains the best place for such information
sharing.

While I realize this mailing list is mostly about network operations and
less about ISP operations, we had a discussion in the past where we have
seen some in our community do use this information effectively and find
it useful.

This is a rare occasion indeed, but an explanation and an apology were in
order.

Thank you,

Gadi.


On Wed, 6 Aug 2008, Gadi Evron wrote:
> Hi all. You may want to be ready for a *possible* support lines flood today.
>
> Yesterday I discovered a fast-spreading facebook worm. It spreads by sending
> messages to all your facebook friends, from your account, asking them to
> click on a link in the .pl ccTLD.
>
> This worm is somewhat similar to zlob, here is a link to a kaspersky paper on
> a previous iteration of it, they call it koobface:
> http://www.kaspersky.com/news?id=207575670
>
> The worm collects spam subject lines from, and then sends the users personal
> data to the following C&C:
> zzzping.com
>
> I spoke with DirectNIC last night and the Registrar Operations (reg-ops)
> mailing list was updated that the domain is no longer reachable. That was
> very fast response time from DirectNIC, which we appreciate.
>
> The worm is still fast-spreading, watch the statistics as they fly:
> http://www.d9.pl/system/stats.php
>
> The facebook security team is working on this, and they are quite capable.
> The security operations community has been doing analysis and take-downs, but
> the worm seems to still be spreading.
>
> All anti virus vendors have been notified, and detection (if not removal)
> should be added within a few hours to a few days.
>
> For now, while users may get infected, their information is safe (unless the
> worm has a secondary contact C&C which I have not verified yet).
>
> It seems like some users may have learned not to click on links in email, but
> any other medium does not compute.
>
> Gadi.
>


william.allen.simpson at gmail

Aug 8, 2008, 9:07 AM

Post #4 of 14 (1039 views)
Permalink
Re: facebook worm [In reply to]
Gadi Evron wrote:
> My thinking was that on the rare occasion when we can anticipate
> *possible* and *serious* floods and bottle-necks at ISP tech-support
> lines, across multiple providers and regions, we should share that
> information. NANOG remains the best place for such information sharing.
>
I agree.

> While I realize this mailing list is mostly about network operations and
> less about ISP operations, we had a discussion in the past where we have
> seen some in our community do use this information effectively and find
> it useful.
>
ISP operations are network operations. Fast spreading worms with
remediation through DNS configuration that may affect tech-support costs
are obviously network related.


patrick at zill

Aug 8, 2008, 9:33 AM

Post #5 of 14 (1034 views)
Permalink
Re: facebook worm [In reply to]
Gadi Evron wrote:

> While I realize this mailing list is mostly about network operations and
> less about ISP operations, we had a discussion in the past where we have
> seen some in our community do use this information effectively and find
> it useful.

Thing is, I had already heard about the facebook worm via my other
sources of info (and a day earlier); same as anyone else who is paying
attention to such subjects did.

When info like this is spread across multiple lists/sites, the second
and subsequent times it is noise instead of signal.

I lurk on nanog because of what it focuses on.

Turning nanog into a rehash of digg's technology section or the front
page of news.com reduces nanog's utility.

--Patrick


LarrySheldon at cox

Aug 8, 2008, 9:48 AM

Post #6 of 14 (1036 views)
Permalink
Re: facebook worm [In reply to]
Patrick Giagnocavo wrote:

> Turning nanog into a rehash of digg's technology section or the front
> page of news.com reduces nanog's utility.

As does the days and days of rehash of one of Gadi's postings.


brett at the-watsons

Aug 8, 2008, 9:56 AM

Post #7 of 14 (1036 views)
Permalink
Re: facebook worm [In reply to]
On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:

> Patrick Giagnocavo wrote:
>
>> Turning nanog into a rehash of digg's technology section or the
>> front page of news.com reduces nanog's utility.
>
> As does the days and days of rehash of one of Gadi's postings.

And all of this BS is even *more* off topic than folks are claiming
Gadi's post was. This list goes off topic all the time, at least
Gadi's post was technical.


xploitable at gmail

Aug 8, 2008, 2:27 PM

Post #8 of 14 (1026 views)
Permalink
Re: facebook worm [In reply to]
On Fri, Aug 8, 2008 at 5:33 PM, Patrick Giagnocavo <patrick [at] zill> wrote:
> Gadi Evron wrote:
>
>> While I realize this mailing list is mostly about network operations and
>> less about ISP operations, we had a discussion in the past where we have
>> seen some in our community do use this information effectively and find it
>> useful.
>
> Thing is, I had already heard about the facebook worm via my other sources
> of info (and a day earlier); same as anyone else who is paying attention to
> such subjects did.
>
> When info like this is spread across multiple lists/sites, the second and
> subsequent times it is noise instead of signal.
>

He's ruining Nanog, just so he can get self glorification and self
gratification in
himself as some kind of leader of internet security industry when he
really is just a sad fat person who is a nobody.

All the best,

n3td3v


MTormey at aol

Aug 8, 2008, 5:14 PM

Post #9 of 14 (1022 views)
Permalink
Re: facebook worm [In reply to]
I feel like I'm on the public blogs with all kinds of idiots giving their
opinion and everything degenerating as each entry is posted. I am only a
lurker on NANOG, just seeking intelligent info for my job. I've been receiving
these emails for a few years now, but this is ridiculous. Not intelligent
information. Please stop!



**************Looking for a car that's sporty, fun and fits in your budget?
Read reviews on AOL Autos.
(http://autos.aol.com/cars-BMW-128-2008/expert-review?ncid=aolaut00050000000017 )


hannigan at gmail

Aug 8, 2008, 10:49 PM

Post #10 of 14 (1032 views)
Permalink
Re: facebook worm [In reply to]
On Fri, Aug 8, 2008 at 12:56 PM, brett watson <brett [at] the-watsons> wrote:
> On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:
>
>> Patrick Giagnocavo wrote:
>>
>>> Turning nanog into a rehash of digg's technology section or the front
>>> page of news.com reduces nanog's utility.
>>
>> As does the days and days of rehash of one of Gadi's postings.
>
> And all of this BS is even *more* off topic than folks are claiming Gadi's
> post was. This list goes off topic all the time, at least Gadi's post was
> technical.
>
>


Not only was his post technical, it was relevant to operator revenue.
"Application" doesn't take these calls, the network operators do. I
can't think of a more relevant NANOG post of late. Saving us a
headache by predefining an issue seems quite on topic to me. FWIW.
YMMV.

-M<

[ No offense towards "Application" intended.]


ge at linuxbox

Aug 8, 2008, 11:08 PM

Post #11 of 14 (1018 views)
Permalink
Re: facebook worm [In reply to]
On Sat, 9 Aug 2008, Martin Hannigan wrote:
> On Fri, Aug 8, 2008 at 12:56 PM, brett watson <brett [at] the-watsons> wrote:
>> On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:
>>
>>> Patrick Giagnocavo wrote:
>>>
>>>> Turning nanog into a rehash of digg's technology section or the front
>>>> page of news.com reduces nanog's utility.
>>>
>>> As does the days and days of rehash of one of Gadi's postings.
>>
>> And all of this BS is even *more* off topic than folks are claiming Gadi's
>> post was. This list goes off topic all the time, at least Gadi's post was
>> technical.
>>
>>
>
>
> Not only was his post technical, it was relevant to operator revenue.
> "Application" doesn't take these calls, the network operators do. I
> can't think of a more relevant NANOG post of late. Saving us a
> headache by predefining an issue seems quite on topic to me. FWIW.
> YMMV.
>
> -M<

At least unlike blackworm, this one's damage could be measured.

Gadi.


fergdawg at netzero

Aug 8, 2008, 11:38 PM

Post #12 of 14 (1020 views)
Permalink
Re: facebook worm [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Gadi Evron <ge [at] linuxbox> wrote:

>At least unlike blackworm, this one's damage could be measured.

Actually, BlackWorm was measured -- I have the CAIDA poster in
my cube. :-)

- - ferg


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj4DBQFInTtbq1pz9mNUZTMRAlvOAJ4ntljT/bbS2pJ+K78M2EzwsS7dUACWNGVu
mDIH8oOFa6nhjccw7Es3xA==
=P/Kv
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/


yskchu at gmail

Aug 12, 2008, 10:36 PM

Post #13 of 14 (985 views)
Permalink
Re: facebook worm [In reply to]
On Sat, Aug 9, 2008 at 2:33 AM, Patrick Giagnocavo <patrick [at] zill> wrote:

> Turning nanog into a rehash of digg's technology section or the front page
> of news.com reduces nanog's utility.
>
> --Patrick
>
>
Are you saying that all network professionals should read digg or news.com?
:-)
Btw, slashdot seemed to have missed it.


jra at baylink

Aug 15, 2008, 10:15 AM

Post #14 of 14 (945 views)
Permalink
Re: facebook worm [In reply to]
On Fri, Aug 08, 2008 at 10:27:33PM +0100, n3td3v wrote:
> He's ruining Nanog, just so he can get self glorification and self
> gratification in
> himself as some kind of leader of internet security industry when he
> really is just a sad fat person who is a nobody.
>
> All the best,

Clearly not.

Moderators? Personal attacks are off topic, right?

Cheers,
-- jr '"self gratification in himself". furrfu' a
--
Jay R. Ashworth Baylink jra [at] baylink
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Josef Stalin)

NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.