Storm Warning: New Worm Attacks Forums and Blogs

Forum Moderators: rogerd

Message Too Old, No Replies

Storm Warning: New Worm Attacks Forums and Blogs

rogerd

3:18 am on Mar 1, 2007 (gmt 0)

ZDNet warns that there is a new variant of the Storm worm spreading that, when a user with an infected PC makes a blog or forum post, adds a link to an infected site.

[news.zdnet.com...]

No, a virus didn't add that link to this post. :)

phranque

3:25 am on Mar 1, 2007 (gmt 0)

i also posted about this under the ms windows forum [webmasterworld.com].
the computerworld article linked there has a fair amount of technical detail decribing the behavior.

camweh

4:46 am on Mar 1, 2007 (gmt 0)

Might be worth telling forum members to mention in the the body of their posts if they are adding a link.

phranque

4:55 am on Mar 1, 2007 (gmt 0)

Might be worth telling forum members to mention in the the body of their posts if they are adding a link.

from the computerworld article:

"It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said.

that teaser text could be adjusted to the locally acceptible phrase...

madmatt69

5:10 am on Mar 1, 2007 (gmt 0)

Does anyone know if any particular forum software is overly vulnerable?

Just looked on the phpbb.com site and there's no mention of it. Wondering if there are any patches available yet.

rocknbil

7:55 am on Mar 1, 2007 (gmt 0)

. . . in the form of e-mails with attachments that, when opened, loaded malicious software onto victims' PCs....

Is it "me" or does almost every virus alert open with this statement?

phranque

8:13 am on Mar 1, 2007 (gmt 0)

mm69: phpBB and VBulletin is what i've read so far...

wheel

12:17 pm on Mar 1, 2007 (gmt 0)

Nobody posts at my forum, so I'm good.

zCat

12:26 pm on Mar 1, 2007 (gmt 0)

Sounds like it affects any forum / blog-type system, because the "malicious payload" is being smuggled in along with legitimate posts from infected users - it doesn't rely on vulnerabilites in any particular server-side software.

It would be interesting to know if there is any pattern to the malicious URLs posted.

wheel

12:54 pm on Mar 1, 2007 (gmt 0)

I think there is a pattern. The vbulletin site has a thread where someone mentions a specific link they've added to their censorship software. Just do a search for storm virus on the site.

phranque

1:27 pm on Mar 1, 2007 (gmt 0)

the added link is a url at mailfreepostcards dot com or at the ip address 66 dot 148 dot 74 dot 7.
those addresses are unreliable however.
here is the description of the mespam trojan by symantec [symantec.com].
the ultimate goal of the malware is to include the computer in a peacomm-based zombie botnet described here by symantec [symantec.com].

grandpa

1:40 pm on Mar 1, 2007 (gmt 0)

I've seen that url in some public comments on one of my sites. They comments were obvious spam attempts, not legitimate comments, so they got zapped.

I'm with wheel on this one, at least 'someone' has taken an interest in my forum...

AlexK

4:01 pm on Mar 2, 2007 (gmt 0)

grandpa:

at least 'someone' has taken an interest in my forum...

There was an Arlo Guthrie song in my youth. The song recounts how he made a phone call from a payphone to the FBI. In seconds the FBI ran thousands of checks on him, but then concluded that he was a "nobody", and ignored him.

There is a perverse comfort in the fact that--at the very least--the spammers and scammers are interested in you.