facebook worm

Gadi_Evron1 · August 7, 2008, 4:44am

Hi all. You may want to be ready for a *possible* support lines flood today.

Yesterday I discovered a fast-spreading facebook worm. It spreads by sending messages to all your facebook friends, from your account, asking them to click on a link in the .pl ccTLD.

This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface:
http://www.kaspersky.com/news?id=207575670

The worm collects spam subject lines from, and then sends the users personal data to the following C&C:
zzzping.com

I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate.

The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php

The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading.

All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days.

For now, while users may get infected, their information is safe (unless the worm has a secondary contact C&C which I have not verified yet).

It seems like some users may have learned not to click on links in email, but any other medium does not compute.

Gadi.

Paul_WALL · August 7, 2008, 11:56pm

Gadi,

Please take a few moments to reflect on:

http://www.nanog.org/endsystem.html

I'd appreciate it if you'd try and keep future off-topic postings like
this to a minimum, as it makes the list difficult to wade through to
get to what matters.

Regards,
Paul (not currently MLC, though I promise to put you in your place
once the SC affords me the privlege

Gadi_Evron1 · August 8, 2008, 1:35am

[top-posting]

Now that this worm has been somewhat balked, I'd like to thank the membership for your patience with this off-topic post. I realize it is probably as annoying to some as it was useful to others.

My thinking was that on the rare occasion when we can anticipate *possible* and *serious* floods and bottle-necks at ISP tech-support lines, across multiple providers and regions, we should share that information. NANOG remains the best place for such information sharing.

While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.

This is a rare occasion indeed, but an explanation and an apology were in order.

Thank you,

Gadi.

William_Allen_Simps3 · August 8, 2008, 4:07pm

Gadi Evron wrote:

My thinking was that on the rare occasion when we can anticipate *possible* and *serious* floods and bottle-necks at ISP tech-support lines, across multiple providers and regions, we should share that information. NANOG remains the best place for such information sharing.

I agree.

While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.

ISP operations are network operations. Fast spreading worms with
remediation through DNS configuration that may affect tech-support costs
are obviously network related.

Patrick_Giagnocavo · August 8, 2008, 4:33pm

Gadi Evron wrote:

While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.

Thing is, I had already heard about the facebook worm via my other sources of info (and a day earlier); same as anyone else who is paying attention to such subjects did.

When info like this is spread across multiple lists/sites, the second and subsequent times it is noise instead of signal.

I lurk on nanog because of what it focuses on.

Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.

--Patrick

Larry_Sheldon · August 8, 2008, 4:48pm

Patrick Giagnocavo wrote:

Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.

As does the days and days of rehash of one of Gadi's postings.

Brett_Watson · August 8, 2008, 4:56pm

And all of this BS is even *more* off topic than folks are claiming Gadi's post was. This list goes off topic all the time, at least Gadi's post was technical.

Jeb_n3td3v_Bush · August 8, 2008, 9:27pm

He's ruining Nanog, just so he can get self glorification and self
gratification in
himself as some kind of leader of internet security industry when he
really is just a sad fat person who is a nobody.

All the best,

n3td3v

martinhannigan · August 9, 2008, 5:49am

Not only was his post technical, it was relevant to operator revenue.
"Application" doesn't take these calls, the network operators do. I
can't think of a more relevant NANOG post of late. Saving us a
headache by predefining an issue seems quite on topic to me. FWIW.
YMMV.

-M<

[ No offense towards "Application" intended.]

Gadi_Evron1 · August 9, 2008, 6:08am

At least unlike blackworm, this one's damage could be measured.

Gadi.

Kelvin_Chu · August 13, 2008, 5:36am

Are you saying that all network professionals should read digg or news.com?

Btw, slashdot seemed to have missed it.

Jay_Ashworth · August 15, 2008, 5:15pm

Clearly not.

Moderators? Personal attacks are off topic, right?

Cheers,
-- jr '"self gratification in himself". furrfu' a