Cybercriminals exploit trust in networking sites

19 Jan 09

Facebook and Twitter have recently been hit by spammers using ‘fake friend’ accounts. Is there anything that can be done to prevent this? David Emm examines this issue and the latest virus statistics.

By David Emm

The news that Facebook and Twitter have been hit by spammers using ‘fake friend’ accounts to steal passwords and identities is the latest indication that cybercriminals will consider such social networking sites as viable mediums for spreading and profiting from crimeware during 2009.

Initial signs that this trend would become a reality were raised in May 2008 when the BBC identified how it was possible for Facebook users to have their personal details stolen via a malicious program masquerading as a harmless application that users add to their profile.

Several months later, Kaspersky Lab detected two variants of the now famous Koobface worm (namely Networm.Win32.Koobface.a. and Networm.Win32.Koobface.b) which were attacking the social networking web sites MySpace and Facebook respectively, transforming victims’ machines into zombie computers to form botnets.

Easy prey for the cybercriminals

Social networking sites are easy prey for cybercriminals. On the one hand, users are very trusting of these sites, so they lower their guard. On the other hand, vulnerabilities in these sites are often left open for significant periods of time, making it easy for hackers to take full advantage of security loopholes.

Such trust has always been the key weapon in the cybercrimials’ armoury. A few years ago, this focused on enticing naïve consumers to click on e-mail attachments. Next, it was cajoling people to click on links (sent either via e-mail or instant messaging) or download a ‘juicy’ – but malicious – program from a web site.

In every case, the cybercrime used trust and trickery to encourage people to do what they shouldn’t, without realising it. What’s worse now, of course, is that more and more of us have always-on connections and we use lots of online resources not only for social networking but also for banking and shopping. The end result is that more information about us is now in the public domain, and we don’t always take adequate steps to protect this data.

For example, many people use the same password for multiple online resources. That being the case, when a cybercriminal tricks us once, he or she may achieve a ‘multiple whammy’ on our data: access to a bank account, an eBay account or a Facebook account, etc.

Preventative steps can be taken

There are preventative steps that people can take to safeguard themselves from current and inevitable future threats, to ensure that they can continue to enjoy the many benefits that social networking sites and other Internet services bring. Of course, having an up-to-date Internet security solution is the primary defence, followed by other sensible steps such as using a unique password for each account, not using real words, mixing letters, numbers and non-alphanumeric characters and using a mixture of upper and lower case characters.

Kasperksy Lab produces The Safe Online Guide. This is available free on the company’s web site (see the dedicated link on the right hand panel of this page for details). You can also download a 60-day free trial of Internet Security 2009. The guide provides a useful blueprint for understanding the potential dangers of being online, and what steps need to be taken to protect against them.

Malware statistics published for December

The results of the monthly malware Top Twenty statistics compiled from data provided by the Kaspersky Security Network throughout December 2008 have just been published.

The first Top Twenty ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on computers running the latest Kaspersky Lab home user products Kaspersky Internet Security 2009 and Kaspersky Anti-Virus 2009.

November’s leaders (Virus.Win32.Sality.aa and Packed.Win32.Krap.b) remained firmly at the top of the rankings. Last month’s newcomers, the worms Mabezat.b and AutoRun.eee, both moved up three places in December. This reflects the effectiveness with which threats are spread via portable devices, in addition to using the classic method of spreading via shared network resources.

Mabezat.b (this time around in 11th position) is also able to infect files. The virus Sality.aa used a similar approach, and this propelled it to the top of the rankings. Now Mabezat.b is using the same tricks.

Gamer activity peaks in winter

Virus.Win32.Alman.b (7th position) made an interesting leap of ten places this month. Part of Alman’s payload is to steal passwords to a variety of online games. Given that gamer activity peaks during the winter months, this rapid ascent is easily explained. It will be interesting to see what happens to this malicious program’s position in the following months.

Two more newcomers – Trojan.HTML.Agent.ai (5th position) and Trojan-Downloader.JS.Agent.czm (13th position) – are run-of-the-mill script downloaders, and have no particularly interesting features.

Of late, a high percentage of malicious programs have been written using the AutoIt script language. This is because the language is easy to master, making it simple to create new programs. The sharp rise up the table by Trojan.Win32.AutoIt.ci (8th position) and the appearance of Worm.Win32.AutoIt.ar (10th position) confirm this development. Like Mabezat.b and AutoRun.eee, Autolt.ar spreads via portable devices.

The presence of two malicious programs representing a family of non-standard malware in the Top Twenty – Trojan-Downloader.WMA.GetCodec – is also of interest (6th position). One of them appeared in the Top Twenty for the first time last month, coming straight in at third place, although it did lose ground in December. The other, Trojan-Downloader.WMA.GetCodec.r (20th position), is an interesting program.

Playing an infected multimedia file results in an executable file being downloaded – this file is P2p-Worm.Win32.Nugg.w, traditionally presented as a codec. When executed, it downloads several archive files containing executable and multimedia files from the Internet. These executables are different variants of P2P-Worm.Win32.Nugg, while the multimedia files are infected by different variants of Trojan-Downloader.WMA.Getcodec.

Even ordinary files cannot be trusted

The worm replaces the names of these files with “keygen RELOADED.zip”, “(hot remix).mp3” and other names likely to interest users and makes them available on the popular peer-to-peer network Gnutella. Unsuspecting users then download these files, ensuring the malicious code continues to spread. Even ordinary multimedia files can no longer be trusted, and users who are encouraged to “download a codec” should be on their guard.

All the malware, adware and potentially unwanted programs from this ranking can be broken down into the main categories of threat. The percentages have not changed significantly compared to November. Self-replicating malicious programs are holding their own at 45%, confirming fears that such programs are becoming more common. The percentage shares of self-replicating and Trojan programs have balanced out, accurately reflecting the current malware landscape.

A total of 38,190 different malicious and potentially unwanted programs were detected on users’ computers in December. This means that the number of ITW threats has decreased somewhat: in December, Kaspersky Lab detected 7,500 fewer than in November (45,690).

What of the malicious programs most commonly detected in infected objects found on users’ computers? The majority of the programs discovered have file-infection capability. One newcomer is Agent.ml (4th position), a Trojan downloader. It includes a small amount of code – a malicious iframe block that’s added at the end of web pages. When the main page is loaded, the one specified in the iframe is loaded as well. In this case, the page contains malicious JavaScript.

Another début in the Top Twenty is the worm Fujack.cf (16th position), a later variant of Fujack.bd, which appeared in October in 19th place and then disappeared from the rankings in November.