vipinonline.com

Exploiting cross-site scripting flaw on Orkut, “Bom Sabado” worm is spreading like a plague on Orkut. Bom Sabado means ““Good Saturday” in Portuguese. It sends “Bom Sabado ” scraps to your friends and automatically joins your profile on some adult communities. It’s a cookie stealing script in action.

Am I infected?

If you have seen “ Bom Sabado! “ scrap on orkut, on your scrapbook or your friends scrapbook, or seen this scrap on Gmail’s web interface, you are infected.

Don’t panic !

What should you do?

• Clear your cookies and cache.
• Change your Google account password immediately by visiting the following link and don’t login to Orkut till Google engineers fix this issue.

https://www.google.com/accounts/EditPasswd?hl=en

• Change the security question too

• Keep your Mobile phone no. updated for getting password reset code.
• Don’t try to open Orkut or messages from Orkut by e-mail. (SMTP & POP users may view the message in plain text)
• Stop visiting the scrapbooks of others till they fix this issue.

How can you help to avoid its spreading?

• Login to mobile version of Orkut http://m.orkut.com from Opera Mobile and delete all “ Bom Sabado! “ scraps

Alternatively,

• Disable Javascript on your browser
• Login to mobile version http://m.orkut.com

Pass this information to your friends. Stay tuned for further updates.

Install and maintain an updated Anti-virus and Anti-Malware like, Malwarebytes Anti-Malware to keep your system free from Key loggers and backdoor trojans.

UPDATE from Google:

Hi all,

This is to inform you all that we’ve contained the “Bom Sabado” virus and have identified the bug that allowed this and have fixed it.

We’re currently working on restoring the affected profiles.

Thanks a ton to each of you who’s made an effort to alert everyone else about this.

Possibly Related Posts:

• Free Online Clipboard with security: CL1P.net
• Few invites left for Diaspora, the open source “Facebook killer”
• Yahoo Shutting Down Delicious, Buzz, Other Services : It’s time to backup your bookmarks
• c0c0n : International Security and Hacking Conference at Cochin, Kerala
• ICANN explores the possibility of full-fledged use of domain names in all 22 official languages in India

If you want to access a system badly and don’t have any authentication credentials here is a trick to bypass it.

Requirements:

1. ISO image of any live Linux distribution (Ubuntu, Fedora, DSL etc.)
2. Thumb drive aka Pen drive
3. UNetbootin for Linux/ Windows

More information at my previous post here

btw, don’t violate any rules. Enter at your own risk.

Possibly Related Posts:

• Hamsphere: Virtual Ham Radio transceiver on your PC
• A quick glance at the Linux Kernel
• FOSSMEET 2011 : Free and Open Source Software meet, February 4-6, 2011 at NIT Calicut, Kerala
• Recover your Gmail and Orkut accounts from Bom Sabado attack
• Get System Management BIOS table in Human readable format, DMI Decode

Conficker B++, evil twin of Conficker, also known as W32/Conficker.worm, Downup, W32.Downadup and Kido, is a worm that takes advantage of Windows security vulnerability called MS08-067 in order to spread itself across networks. Once infected, Conficker may disable Windows system services such as Windows Defender, Automatic Backup, Windows Error Reporting, and Windows Automatic Update. Conficker could block certain security websites and may install further malware on your computer.

Conficker A (left) /B (right): Top-level control flow

Source : http://mtc.sri.com

Conficker B uses a different set of sites to query its external-facing IP address www.getmyip.org, www.whatsmyipaddress.com, www.whatismyip.org, checkip.dyndns.org.  It does not download the fraudware Antivirus XP software that version A attempts to download.   Conficker’s propagation methods vary among A and B.
Like Conficker A, after a relatively short initialization phase  followed by a scan and infect stage,  Conficker B proceeds to generate a daily list of domains to probe for the download of an additional payload.

A New Backdoor Service
Conficker B++ has added a new method for remote Win32 binary retrieval and execution.  This new method entails the use a named pipe to receiving URLs from remote systems, retrieval of Win32 binaries using this URL, validation that the downloaded executable is properly signed by the Conficker authors, and immediate execution of the binary.

The new Conficker variant adds an extra function to the main thread if the OS is Windows XP, Windows 2000, or Windows 2003 Server

Conficker is known to block access to over 100 anti-virus and security websites.

OpenDNS, the free DNS service, plans to start blocking the Conficker worm’s attempts to connect to potential control servers using a predicted address list provided by Kaspersky. According to The Register, the new free service will also be able to alert administrators to the presence of the Conficker worm and assist them in locating infected machines.

Microsoft offers $250,000 reward for information leading to the arrest and conviction for the cybercriminals responsible for the fast spreading Conficker/Downadup worm.

Computer users who already have their Automatic Update feature turned on for Microsoft Windows Update may not be vulnerable to the Conficker worm. Upon detection of the Conficker worm, it is recommended that you configure your computer to receive critical updates and patches from Microsoft and run a full scan with an up-to-date version of your anti-virus or anti-malware program. Conficker may attempt to recreate itself on reboot.

Download Free Conficker Removal Tool

Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. The idea is to load content from sites that are blocked by Conficker.

Check now http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Possibly Related Posts:

• Hamsphere: Virtual Ham Radio transceiver on your PC
• Recover your Gmail and Orkut accounts from Bom Sabado attack
• Get System Management BIOS table in Human readable format, DMI Decode
• How to bypass Windows passwords? aka Linux, the easy way
• CCleaner : Prune your Windows registry and delete temporary files

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without the latest security updates.

The worm can also spread via USB flash drives

Method

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

“Of course, the real problem is that people haven’t patched their software,” he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]

Keep your Windows and Antivirus definition updated.

If you’re a victim of this worm, you could visit F-Secure’s Malware Information page for more information for its removal from your computer system.

Source : BBC News

Possibly Related Posts:

• Hamsphere: Virtual Ham Radio transceiver on your PC
• Free Online Clipboard with security: CL1P.net
• Few invites left for Diaspora, the open source “Facebook killer”
• Recover your Gmail and Orkut accounts from Bom Sabado attack
• c0c0n : International Security and Hacking Conference at Cochin, Kerala