Facebook stopped a phishing attack on Thursday, its second day in a row of dealing with a worm on the site that lures people to a fake Facebook page and prompts them to log in.

Unsuspecting Facebook users get a message from a friend urging them to “check this out” and including a link to a Web page that appears to be a Facebook log-in page, but it is a fake site that steals their information when they type in their username and password. The worm also sends a copy of the message to the infected Facebook member’s contacts.

In the latest attack, the Web address was “FBStarter.com.” In Wednesday’s attack, the address was “BAction.net.”

The attacks were stopped within a few hours in each case, said Facebook spokesman Barry Schnitt. He said it was too early to say whether the two phishing attacks are related. “We are investigating,” Schnitt said.

Once Facebook learns of a phishing attack, either by members notifying the company or employees noticing that a URL is being distributed to a lot of people, the company deletes the URL from members’ pages, blocks fresh postings, and removes the redirect to the URL that appears in e-mail messages, Schnitt said.

Facebook also goes in and resets the passwords of member accounts that had been used to distribute the spam, he said.

The company also alerts anti-fraud partner MarkMonitor, which passes the phishing URL on to the major browsers to block it and contacts ISPs to take the site down, according to Schnitt.

To protect against phishing scams, Facebook users should make sure that the URL they are visiting says “www.facebook.com.” If it doesn’t use that domain it’s likely to be spam. Also, members that are already logged in to Facebook will not be asked to log in again.

“People should have a healthy dose of suspicion, and ask themselves ‘why did I get logged out?’” Schnitt said. “If something looks a little strange you should check the address bar.”

Facebook users who think they have been affected by the scam should change their passwords and review their Facebook stream for any unauthorized changes. If they use their Facebook password for other sites, they should change those passwords as well.

And if they are using their Facebook authentication to log in to any other sites, they should check for any unauthorized changes on those sites.

Source: CNN

Twitter has been given the all clear after a worm infected “tens of thousands of users”. But experts say the attack could have been much worse.

Over the weekend, a self-replicating computer program, or worm, began to infect profiles on the social network.

The worm was set up to promote a Twitter rival site, showing unwanted messages on infected user accounts.

Michael Mooney, a 17-year-old US student, told the Associated Press he created the worm to promote his site.

Mooney, who lives in Brooklyn, New York, said he wanted to expose vulnerabilities in Twitter. He told AP: “I really didn’t think it was going to get that much attention, but then I started to see all these stories about it and thought, ‘Oh, my God’.”

The worm worked by encouraging users to click on a link to the rival Twitter site, called StalkDaily.com.

Once the link was clicked, infected users themselves automatically began to send out messages to friends, promoting the site.

No personal or sensitive information, such as passwords, was compromised in the attacks, according to Twitter, which has more than seven million users.

Mikko H Hypponen, chief research officer at security specialists F-Secure, told BBC News the attack could have been much worse.

“All the problems stayed on Twitter. Even if you were infected, nothing happened to your computer.

“It would have been simple to integrate a web browser exploit into this so that you could have done anything you wanted to the infected computer, including recording all keyboard strokes and capturing credit card details.”

Mr Hypponen said he was surprised that the vulnerability had been present in Twitter.

“It was a very basic vulnerability. Similar holes were found in other web social services, such as MySpace and Facebook, quite a while ago.

“I guess Twitter has learned its lesson.”

‘On alert’

In a blog posting on Monday, Twitter co-founder Biz Stone said: “We are still reviewing all the details, cleaning up, and we remain on alert.”

In all, there were four waves of attacks on Twitter.

The website said it had deleted almost 10,000 tweets, or messages, that could have continued to spread the worm.

Mr Hypponen said F-Secure had monitored at least one variant of the worm attack, using a link in a message that pledged to clear up the problem. It had been clicked on at least 18,000 times.

“We would estimate that tens of thousands of users were infected.”

He added: “The root cause for these problems is that social networks are interactions with other people and we inherently trust the messages from people we know in real life or virtually.

“So when you get a message from someone on Twitter you trust it because in real life fake messages like this rarely happen.”

Twitter has promised to conduct a “full review of the weekend activities”.

Researchers have discovered another feature of the Conficker worm that provides an additional clue about the intent of the creators–the worm installs malware that masquerades as antivirus software, Trend Micro said on Friday.

The worm, which has infected millions of Windows-based computers on the Internet, is downloading a program called Spyware Protect 2009 and displaying warning messages saying that the computer is infected and offering to clean it up for $49.95, according to the Trend Micro blog.

The infection alerts repeatedly appear and experts are worried that people may be clicking on them and paying for the software just to be rid of the annoying messages, thereby handing thieves their credit card information.

The fake antivirus program also attempts to install a Trojan downloader that is programmed to download new versions of Spyware Protect 2009, according to Kasperky Lab’s blog. However, the domain the Trojan downloader was being accessed from has been shut down, the blog said.

The fake antivirus feature further bolsters the speculation that the motivation behind the worm is to make money and not a desire to disrupt computer or network operations.

Researchers were still analyzing new component code of the worm that began being spread via peer-to-peer and being downloaded off domains that host the Waledec worm on Wednesday but were finding the task difficult because the instructions are encrypted.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.

Despite all the news the worm has made, many computers still remain unpatched, Sophos said. Of the number of people who have used Sophos’ free endpoint assessment test to check the security risk of a network since the beginning of the year, 11 percent did not have the Microsoft patch installed, according to Graham Cluley’s blog at Sophos.

For the month of March, 10 percent of all of the people who used the Sophos assessment tool were missing the patch, he said. The company did not divulge exactly how many people had used the tool and Cluley said the statistics cannot be extrapolated to represent the number of unpatched systems on the Internet.

In an indication of infection rates, IBM’s Internet Security Systems group released statistics that show that the number of unique IPs infected with Conficker.C is increasing slightly.

Based on infections seen through monitoring devices in its IBM ISS’ Managed Security Services, the number has grown from just over 64,000 on April 2 to more than 71,000 on April 8, according to the unit’s Frequency X blog.

“We’ve seen around 11 percent more unique IPs in the past few days in comparison to a week ago,” the blog said, also adding that the number doesn’t necessarily indicate the scope of worldwide Conficker infection.

Nearly 60 percent of the infections monitored by IBM ISS are in Asia, followed by 18 percent each in Europe and South America, and 4 percent in North America, the statistics show. By country, China leads with 16.6 percent, followed by Brazil at 10.8 percent, Russia at 10.2 percent and Korea at 4.6 percent, according to ISS.

To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET’s Download.com site.

Source: CNET News – by Elinor Mills

PDT with the information provided by BKIS that its free version of BKAV antivirus software can remove the worm from any infected computer.

There’s been a lot of fuss about theConficker worm. However, there is a $250,000 question: the origin of the virus.

This is the amount Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, announced Monday that they found clues that the virus may have originated from China. Previously, there were rumors that it might have been from Russia or Europe.

The firm’s conclusion is based on its analysis of the virus’ coding. It found that Conficker’s code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nima was made in China based on the firm’s own data.

It’s important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, this is in no way hard evidence.

Even if this finding of BKIS is credible, this is hardly good news as it’s still really far from helping the authority lay their hands on whomever responsible for creating the virus. What it does help, if any, is to narrow down on where to block the return of the virus.

Conficker is a very sophisticated worm that took advantage of a security hole mentioned in this Microsoft bulletin. The hole affected all 32-bit and 64-bit Windows operating systems even those with latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network or USB thumb drives. Once infected, it stops the computer’s security services as well as Windows update service and disabled tools and software designed to remove it. Apart from that, the worm also allows the creator to remotely install other malicious codes on the infected computer.

Consequently, the worm is programed to update itself from domains it randomly generates. By April 1, the mount of domains the worm generates and goes to to find update could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.

Microsoft and Conficker Cabal, a Microsoft-led ad hoc partnership created to fight against Conficker worm, have been able to contain about 13 percent of these domain names, a number far from reassuring.

According Quang Tu Nguyen, CEO of BKIS, there’s also a chance that the worm might never return if the owner of the worm, for one reason or another, decides not to continue updating it or fails to do so. However this is unlikely. Quang also suggests that the next outbreak of the virus might not necessarily be on April 1 as widely speculated but rather on any day. The firm does believe that the worm would likely seek to update itself on the April 1.

While this seems worrisome, the update of the virus will only take place on computers that have already been infected with one of Conficker’s variants and are connected to the Internet. Currently, the number of infected systems are estimated to be around ten million worldwide.

Fortunately, it’s relatively easy to determine whether your computer is infected. Vu Ngoc Son, manager of BKIS’ research center, provided a simple way for you to find out if your computer is one:

First, make sure your computer is connected to the Internet by going to a Web site such as Google or CNET. Then if your computer can also successfully go to Web sites of Microsoft and known security companies, such as Symantec, McAfee, TrendMicro, Sophos, Panda, and you can also run Windows Update successfully, then your computer is clear from Conficker.

On the other hand, if the computer fails to do any of those, it’s likely that it has already been affected. In this case, try to follow this instruction to remove it or use BKIS’ antivirus software that can be downloaded for free. As a last resort, you can also backup your data and install Windows from scratch, then immediately run Windows Update to install the latest security patches.

Note that even when your computer is currently clean, it doesn’t mean you won’t get infected, this would depend on what the next update of the worm does. Rule of thumb is make sure you keep protection software on your computer updated and keep the system current with Microsoft Update. The are many free and effective antivirus software that you can find at Download.com

As the current work against the Conficker is mostly damage control, if everybody makes sure that their computers are free of the virus and updated to Microsoft’s latest patch, that would actually be the sure way to eliminate another outbreak.

Source: CNET News – by Dong Ngo

They’re rapidly becoming household words for personal computer owners.

Various major newspapers and television news shows reported Friday morning that the latest computer worm might now infect as many as 10 million computers worldwide.

According to a report in the Detroit Free Press, the worm is so virulent because it seems to “mutate” and launch “brute force attacks” that relentlessly try thousands of letter and number combinations in codes to steal personal passwords and login information.

Because most computer users choose passwords that they can remember easily, the words might also be something the worm can guess easily. Once in control of a computer the worm can launch spam, phishing attacks, shut down the Internet with massive traffic or access bank records.

According to F-Secure, an antivirus software company, the Conficker worm is spreading at a rate of 1 million new machines a day. It can be spread by USB stick also.

F-Secure has updated its Downadup removal tool, and the United States Computer Emergency Readiness Team has issued Alert TA09-020A, which describes how to disable AutoRun on Microsoft Windows systems in order to help prevent the spread of Conficker/Downadup via USB drives.

According to Symantec, the top infected countries in order of infection are: China, 28.7 percent; Argentina, 11.3 percent; Taiwan, 6.7 percent; Brazil, 6.2 percent; India, 5.8 percent; Chile, 5.2 percent; Russia, 5 percent; Malaysia, 2.8 percent; Columbia, 2.1 percent; and Mexico, 1.9 percent.

Philip Templeton of PT Technologies in Athens said everyone should keep his or her virus protection and software updates current.

“I have seen in the last four to six months more people getting viruses,” said Templeton. “But no matter what antivirus software you buy, nothing is 100 percent. Make sure your Windows Firewall is on, and it doesn’t hurt to change passwords periodically. I usually advise to make this a quarterly chore.”

Source: By Karen Middleton