Welcome to WebmasterWorld Guest from 54.196.244.186

Forum Moderators: rogerd

Message Too Old, No Replies

Storm Warning: New Worm Attacks Forums and Blogs

     
3:18 am on Mar 1, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator rogerd is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 2, 2000
posts:9685
votes: 0


ZDNet warns that there is a new variant of the Storm worm spreading that, when a user with an infected PC makes a blog or forum post, adds a link to an infected site.

[news.zdnet.com...]

No, a virus didn't add that link to this post. :)

3:25 am on Mar 1, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


i also posted about this under the ms windows forum [webmasterworld.com].
the computerworld article linked there has a fair amount of technical detail decribing the behavior.
4:46 am on Mar 1, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 16, 2005
posts:118
votes: 0


Might be worth telling forum members to mention in the the body of their posts if they are adding a link.
4:55 am on Mar 1, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


Might be worth telling forum members to mention in the the body of their posts if they are adding a link.

from the computerworld article:

"It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said.

that teaser text could be adjusted to the locally acceptible phrase...

5:10 am on Mar 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 28, 2001
posts:779
votes: 0


Does anyone know if any particular forum software is overly vulnerable?

Just looked on the phpbb.com site and there's no mention of it. Wondering if there are any patches available yet.

7:55 am on Mar 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


. . . in the form of e-mails with attachments that, when opened, loaded malicious software onto victims' PCs....

Is it "me" or does almost every virus alert open with this statement?

8:13 am on Mar 1, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


mm69: phpBB and VBulletin is what i've read so far...
12:17 pm on Mar 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


Nobody posts at my forum, so I'm good.
12:26 pm on Mar 1, 2007 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 1, 2004
posts:607
votes: 0


Sounds like it affects any forum / blog-type system, because the "malicious payload" is being smuggled in along with legitimate posts from infected users - it doesn't rely on vulnerabilites in any particular server-side software.

It would be interesting to know if there is any pattern to the malicious URLs posted.

12:54 pm on Mar 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


I think there is a pattern. The vbulletin site has a thread where someone mentions a specific link they've added to their censorship software. Just do a search for storm virus on the site.
1:27 pm on Mar 1, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


the added link is a url at mailfreepostcards dot com or at the ip address 66 dot 148 dot 74 dot 7.
those addresses are unreliable however.
here is the description of the mespam trojan by symantec [symantec.com].
the ultimate goal of the malware is to include the computer in a peacomm-based zombie botnet described here by symantec [symantec.com].
1:40 pm on Mar 1, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 7, 2003
posts:1404
votes: 0


I've seen that url in some public comments on one of my sites. They comments were obvious spam attempts, not legitimate comments, so they got zapped.

I'm with wheel on this one, at least 'someone' has taken an interest in my forum...

4:01 pm on Mar 2, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 7, 2004
posts:660
votes: 0


grandpa:
at least 'someone' has taken an interest in my forum...

There was an Arlo Guthrie song in my youth. The song recounts how he made a phone call from a payphone to the FBI. In seconds the FBI ran thousands of checks on him, but then concluded that he was a "nobody", and ignored him.

There is a perverse comfort in the fact that--at the very least--the spammers and scammers are interested in you.