Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

New Worm Posting on SNS trageting Hackforums

Paul Anderson by Paul Anderson
May 18, 2012 - Updated on May 19, 2012
in Malware, Malware Analysis, Public
0
vbmania worm gets its finish
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

A new update has come out by Symantec, it looks like there is a worm targeting hackforums, and other sites that could be used to spread such as Thepiratebay.

You might also like

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

Update-resistant malware infects SonicWall security appliances

W32.Wergimog is a worm that attempts to spread through removable drives and opens a back door. When I looked into its variants, I found an interesting sample, which I named W32.Wergimog.B. Both samples are based on the same source code, but the .B variant contains even more interesting functionality that I would like to detail here.

For legitimate applications

W32.Wergimog.B injects itself into legitimate applications, such as Internet Explorer and Mozilla Firefox, as shown in Figure 1.
original

Figure 1. Threat injects itself into certain applications and then connects to the Internet
Once it confirms that the applications it has injected itself into have network connectivity, it performs the functions outlined below.
Posting on Social Networking Service (SNS) sites

If a user connects to any of the following SNS sites, the worm is capable of modifying a chat message, status update, or Tweet:

  • Facebook Chat
  • Facebook Wallpost
  • Hi5 Status Update
  • Hyves Status
  • Linkedin Status Update
  • Myspace Status Update
  • Omegle Chat
  • Tweet (Twitter)

Initially, the worm connects to the command-and-control (C&C) server to obtain the content that it posts to the SNS services. At present, we are unable to obtain these posts, but the posting command is called ‘spread’. It is likely, therefore, that the post contains a URL that points to a location where a user might download W32.Wergimog.B or some other malicious program.

This is not the first threat to attempt to spread through SNS sites. W32.Koobface, for example, also applied this approach. While there is an overlap in the sites that both of these worms use to spread, one distinction between the two is that unlike the Koobface family, W32.Wergimog.B does not make its own connection to the SNS servers by itself. Rather, it needs to wait for a user to make a new post and then the worm modifies it.
Account stealing

Another function of the worm allows it to steal user account and password information if a compromised user logs in to any of the following sites:

  • fileserve.com
  • hackforums.net
  • hotfile.com
  • megaupload.com
  • thepiratebay.org
  • uploading.com

It is interesting to note that some of the above sites are file sharing services. It is possible, therefore, that the stolen account information may be used to spread the worm through these download sites, thereby allowing it to spread even further.
Attack on rival threats

An interesting feature of this worm is that it also injects itself into other threats, as shown in Figure 2.
original

Figure 2. Injects itself into rival threats
The worm contains lists of rival threat names and signatures to determine if the threats exist on the same computer. The following threats are targeted:

  • DarkComet
  • IRCBot
  • Metus
  • RXBot
  • Warbot
  • xvisceral

The following image illustrates rival threat names and their corresponding signatures.
original

Figure 3. Threat names and corresponding signature “pairs”
After infection the worm hooks network communication on the computer. It then attempts to identify the signatures and end any processes of rival threats that it finds, as can be seen in the image below. This is very similar to how IPS software operates.
original

Figure 4. Wergimog.B kills processes of any rival threats that it finds
The targeted threats are very prevalent, so it may be that the W32.Wergimog.B author wants to avoid being removed along with these threats. This is because an increase in malicious network communications allows a user to be aware that an infection exists.

Sometimes we see a function in a threat that attempts to end the operation of rival threats, but generally speaking such functionality is very simple. For example, checking for a specific file path, process name, or registry entry. Conversely, the method employed by W32.Wergimog.B is very reliable as the signatures are very specific and thus it can be sure of stopping the rival threats.

In addition, both the original W32.Wergimog and the .B variant have three types of denial-of-service (DoS) attack vectors, which are UDP flooding, SYN flooding, and ‘Slowloris’. A DoS tool called Slowloris was released in 2009 and had a big impact on servers. It targets Apache 1.x, 2.x, and some HTTP servers. It’s a little old now but remains popular. W32.Wergimog variants use the same technique but we don’t know what the relationship is between the original tool and W32.Wergimog variants.

These two variants started to appear between April and June 2011, and both of them have continued to be reported on until April of this year. To avoid infection by the W32.Wergimog variants, keep your security products and OS updated. We are continuing to watch out for developments of the W32.Wergimog worm.

Source: http://www.symantec.com

Tags: hackforumsinfomalwareMalware Analysisnewworm
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more

BlueSky Ransomware Infects KMSAuto Activator users

by Kyle
July 20, 2022 - Updated on July 22, 2022
0
BlueSky Ransomware backdoors KMSAuto activator

A financially motivated threat actor has been discovered spreading a new ransomware strain, dubbed BlueSky. The group is believed to be connected to the Conti ransomware group. CloudSEK's...

Read more
Next Post
Hacking With Netcat Basics

Hacking With Netcat Basics

Related News

Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Update-resistant malware infects SonicWall security appliances

Update-resistant malware infects SonicWall security appliances

March 12, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.