Welcome to WebmasterWorld Guest from 54.145.39.186

Forum Moderators: rogerd

Message Too Old, No Replies

Storm Warning: New Worm Attacks Forums and Blogs

     

rogerd

3:18 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member



ZDNet warns that there is a new variant of the Storm worm spreading that, when a user with an infected PC makes a blog or forum post, adds a link to an infected site.

[news.zdnet.com...]

No, a virus didn't add that link to this post. :)

phranque

3:25 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



i also posted about this under the ms windows forum [webmasterworld.com].
the computerworld article linked there has a fair amount of technical detail decribing the behavior.

camweh

4:46 am on Mar 1, 2007 (gmt 0)

10+ Year Member



Might be worth telling forum members to mention in the the body of their posts if they are adding a link.

phranque

4:55 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Might be worth telling forum members to mention in the the body of their posts if they are adding a link.

from the computerworld article:

"It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said.

that teaser text could be adjusted to the locally acceptible phrase...

madmatt69

5:10 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Does anyone know if any particular forum software is overly vulnerable?

Just looked on the phpbb.com site and there's no mention of it. Wondering if there are any patches available yet.

rocknbil

7:55 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



. . . in the form of e-mails with attachments that, when opened, loaded malicious software onto victims' PCs....

Is it "me" or does almost every virus alert open with this statement?

phranque

8:13 am on Mar 1, 2007 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



mm69: phpBB and VBulletin is what i've read so far...

wheel

12:17 pm on Mar 1, 2007 (gmt 0)

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Nobody posts at my forum, so I'm good.

zCat

12:26 pm on Mar 1, 2007 (gmt 0)

10+ Year Member



Sounds like it affects any forum / blog-type system, because the "malicious payload" is being smuggled in along with legitimate posts from infected users - it doesn't rely on vulnerabilites in any particular server-side software.

It would be interesting to know if there is any pattern to the malicious URLs posted.

wheel

12:54 pm on Mar 1, 2007 (gmt 0)

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I think there is a pattern. The vbulletin site has a thread where someone mentions a specific link they've added to their censorship software. Just do a search for storm virus on the site.

phranque

1:27 pm on Mar 1, 2007 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



the added link is a url at mailfreepostcards dot com or at the ip address 66 dot 148 dot 74 dot 7.
those addresses are unreliable however.
here is the description of the mespam trojan by symantec [symantec.com].
the ultimate goal of the malware is to include the computer in a peacomm-based zombie botnet described here by symantec [symantec.com].

grandpa

1:40 pm on Mar 1, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I've seen that url in some public comments on one of my sites. They comments were obvious spam attempts, not legitimate comments, so they got zapped.

I'm with wheel on this one, at least 'someone' has taken an interest in my forum...

AlexK

4:01 pm on Mar 2, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



grandpa:
at least 'someone' has taken an interest in my forum...

There was an Arlo Guthrie song in my youth. The song recounts how he made a phone call from a payphone to the FBI. In seconds the FBI ran thousands of checks on him, but then concluded that he was a "nobody", and ignored him.

There is a perverse comfort in the fact that--at the very least--the spammers and scammers are interested in you.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month