Author Topic: Worms for myspace and facebook  (Read 3959 times)

0 Members and 1 Guest are viewing this topic.

July 31, 2008, 12:15:49 pm
Read 3959 times

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
Code: [Select]
youtube.zx6.ru
youtube.o7.pl
admin pages here
Code: [Select]
http://xxxping.com/
http://yyyping.com/
http://zzzping.com/

August 01, 2008, 05:10:06 pm
Reply #1

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132

August 02, 2008, 09:21:00 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

August 03, 2008, 09:29:39 am
Reply #3

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Serg, is there a chance that you have some tech. info on GIFAR?
I'm not interested on how it is working, I would just like to make a generic detector for it, so I'm interested just in the footprint (are the both GIF and JAR headers included in the file, along with magic numbers?).

August 03, 2008, 12:44:22 pm
Reply #4

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Quote some emails i passed along

They up and running fine here

yahoo worked for littered myspace page
http://search.yahoo.com/search?p=youtube.o7.pl&ei=UTF-8&fr=moz2

www.myspace.com/lukewinslowking/

Little ways down
http://youtube.o7.pl/2008/07/00/

YouTube looking site telling user to dload codecsetup.exe from
demokratiepur.de

http://www.virustotal.com/analisis/2b1d2f951238528ba9444ea42806498b

This is also being run inside trafficroup rotations so its being
splattered all over the cheesy porn sites too.

Attach some traffic of interest,follow tcp stream

Is there something more i can gather for you bobby?

August 03, 2008, 04:24:18 pm
Reply #5

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
@CM_MWR
The GIFAR-thing is something other than this. At the moment, it is just a proof-of-concept thing that will be presented on BlackHat in the recent future:
http://blogs.zdnet.com/security/?p=1619

I'm interested even in non-working sample of this. For me it would be enough to know if both the GIF and JAR headers are completely present it that hybrid file.
I was hopping that Serge my know something about it, as the first sites that would be suffering from GIFARs are probably Facebook and MySpace (and Serge seems to follow the pests around the Facebook and MySpace).

As for the mentioned fake Youtube sites - it looks clear here. Maybe it have something to do with IP range (geolocation).

August 03, 2008, 06:15:35 pm
Reply #6

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
hello bobby.
in fact i'm not specialized in java and i've got no idea about some tech or magic numbers... but i can look up for samples and ask friends for help. i'll reply soon.