[Hidden-tech] Beware the Facebook thingy-dingy redux

Michael Billingsley michaelb at sover.net
Wed Dec 30 14:01:52 EST 2009


Just a note that - I was my own guinea pig.  I presumed that the  
Chilean source-server was identical to the Romanian one, so rather  
than dangerously clicking on the URL in the email (which would have  
obviously handed my computer to the "loader") I went instead to the  
domain server directly, to see if it also self-identified as being  
slaved to TeamViewer software.

Rather than just say so (which the Romanian server did) it  
proceeded... while showing a blank screen... "load"   I immediately  
yanked my Ethernet cable and killed the page, with hopes that it  
didn't get its packet into my machine and was only able to use those  
few seconds to scan for my Operating System (OS).   However, for a  
modern computer a few seconds are aeons and enable multiple back-and- 
forth conversations and exchanges of data.  Certainly it got my  
machine ID and domain address for future reference... not a good thing.

My laptop (from which I'd done this... with all firewalls up and all  
external drives disconnected) immediately began to act a little  
dodgy.  The rest of the afternoon was marked by a duplicate  
RealPlayer Downloader jumping in and acting in tandom (in other words  
- duplicating and parallel downloading) every clip I encountered on  
the Internet for the rest of the afternoon, ie. newsfeeds.   So I  
drilled down into my own applications and discovered a new version of  
RealPlayer had been loaded, lacking the proper shell but still very  
functional.  With some effort I rooted it out plus its accessory- 
after-the-fact RealPlayer downloader.   Mind you, I'm on a Mac... so  
this again points to the fact that this entire gambit is very well- 
financed, sophisticated and probably for some higher (meaning more  
nepharious) ends than simply generating spam for somebody.

Given that the Facebook "clickjacking" attack involved forcing a  
short movie clip down the Internet into the waiting arms of the duped  
consumer (who sees it as a reward for successfully connecting to a  
"friend") it makes sense that this is the form the toxic software  
trojan has taken.  If any of you got the faked email and innocently  
visited the Facebook "security update" page in the past, check your  
RealPlayer for duplicates.  (Not finding one does not mean you are  
scot-free, it may have dumped your old version for itself.) The best  
strategy might be to uninstall all RealPlayer-related software and re- 
install directly from REAL... if you can.

I had pulled up my Activity watching software and noticed unnecessary  
activity out of RealPlayer, which went away after I put the offender  
into the trash.  However, I don't trust that I've gotten the last  
dregs of the worm out... so I printed out an activity log from noon  
yesterday to midnight yesterday (via the Mac utility called  
"Console") and will take it to a super-savvy friend for analysis.   
There seem to be an inordinate number of partially-loaded pages and  
inappropriate (rejected) commands and calls during a narrow timeslot  
in the afternoon which roughly coincide with the dropping-in of that  
toxic packet.  What a difference a few seconds make.

Beware, beware.  There seems to be badness afoot and I suspect the  
other shoe is yet to drop.

Michael Cerulli Billingsley
Straight Arrow Recordings
802-254-3975/380-6408
The Cotton Mill, Brattleboro, Vermont
Location Recording - CD Mastering - Sound Solutions/FX


On  30 December 09, at 11:02 AM, Lisa Sieverts wrote:

> Thank you, Michael, for sharing this valuable information.
> Lisa
>
> On Tue, Dec 29, 2009 at 11:05 PM, Michael Billingsley  
> <michaelb at sover.net> wrote:
>   ** Be sure to fill out the survey/skills inventory in the  
> member's area.
>   ** If you did, we all thank you.
>
>
>
> Dear H-T'ers
>
> I appreciate the sincere attempts to "decode" my first post on this  
> subject, and the heartfelt and sage advice that A) one should never  
> give one's password to an unknown respondent and B) one should  
> avoid visiting websites mascarading as one's favourite social  
> networking provider, asking you to re-set or provide personal  
> information.
>
> All well and good.
>
> My notice was that the original "faked" Facebook member security- 
> upgrade announcement was sourced by as server in Romania... pre- 
> loaded with PC-jacking software... may have escaped attention, but  
> I will reiterate.   Now that same "crew" of criminals has re-sent a  
> second round of bogus and equally high-quality "upgrading your  
> Facebook security" notices on Christmas Day - this one sourced  
> (ultimately) from a server in Chile.  Again the package was very  
> high-class... and any visitor to that website just to see what it  
> might be about immediately will be sniffed (to determine your OS)  
> and then become loaded with a software packet.  No asking for  
> passwords.  No security questions.  Just simply visiting the  
> webpage will lead to your computer being compromised.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20091230/bcba6fb1/attachment.html 


Google

More information about the Hidden-discuss mailing list