(no subject)
Mar. 27th, 2007 08:55 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
guppiecatI found an interesting security-related attack this morning, based on flickr. Technical details are below, if you are so inclined. The short form is: "If someone leaves you a comment and a URL on flickr (or some other social site), and you do not know them, do NOT click on the link."
I started my morning by uploading a set of photos to flickr. Almost immediately, I got a comment from a user that I did not recognize. By itself, that's not unusual. However, what follows triggered my "weirdness" alarms.
The comment read as follows:
"This is such a cool pic, good work! I Love viewing your stream. I Recently constructed a gift for all of my favorite flickr users, you were included, so i would be honored if you can accept it and tell me if you like it or not! Thankyou!"
Then, there was a link. As it turns out, the link was to a windows executable, but it could just as easily have been to something harder to detect. What I did next is what saved me (or would have, had my system not been Linux which protected me anyway... from this attack).
Since I didn't know the user, I checked out her profile. Interestingly, none of my photos were tagged as her favorites. Also, I was not listed as one of her contacts. So, if I wasn't someone she knew well enough to keep track of that way, why would she be offering me a "gift"?
I poked a bit further, and found that the file behind the link was on a website having something to do with paintball. That's odd, but not necessarily a bad thing. However, as she did not have any photos about paintball or listed paintball as an interest, I became more suspicious. Also, the file was stored in http://site/calendar/ws/PhotoSeries3412459741.exe
Those who are not in the industry might not know, but this means that it's located within the WebCalendar application, which is not a normal place to store files. Additionally, there have been security problems with older versions of this application, so it was highly likely that the site was hacked.
I downloaded and scanned the executable, and it came back clean. But, to be safe, I decided to contact SANS (an excellent security group), and they helped me to track down the rest of it. It turns out that the exe file is a "trojan dropper". It connects to another site to download the nasty bits. That way, it can bypass antivirus and other security measures.
SANS is contacting the site, and I will be contacting flickr. I suspect that flickr already knows, as they deleted the comment fairly quickly. However, they did not delete it from the RSS feed, which is how I read them. I will let flickr contact the user whose account was hacked.
I started my morning by uploading a set of photos to flickr. Almost immediately, I got a comment from a user that I did not recognize. By itself, that's not unusual. However, what follows triggered my "weirdness" alarms.
The comment read as follows:
"This is such a cool pic, good work! I Love viewing your stream. I Recently constructed a gift for all of my favorite flickr users, you were included, so i would be honored if you can accept it and tell me if you like it or not! Thankyou!"
Then, there was a link. As it turns out, the link was to a windows executable, but it could just as easily have been to something harder to detect. What I did next is what saved me (or would have, had my system not been Linux which protected me anyway... from this attack).
Since I didn't know the user, I checked out her profile. Interestingly, none of my photos were tagged as her favorites. Also, I was not listed as one of her contacts. So, if I wasn't someone she knew well enough to keep track of that way, why would she be offering me a "gift"?
I poked a bit further, and found that the file behind the link was on a website having something to do with paintball. That's odd, but not necessarily a bad thing. However, as she did not have any photos about paintball or listed paintball as an interest, I became more suspicious. Also, the file was stored in http://site/calendar/ws/PhotoSeries3412459741.exe
Those who are not in the industry might not know, but this means that it's located within the WebCalendar application, which is not a normal place to store files. Additionally, there have been security problems with older versions of this application, so it was highly likely that the site was hacked.
I downloaded and scanned the executable, and it came back clean. But, to be safe, I decided to contact SANS (an excellent security group), and they helped me to track down the rest of it. It turns out that the exe file is a "trojan dropper". It connects to another site to download the nasty bits. That way, it can bypass antivirus and other security measures.
SANS is contacting the site, and I will be contacting flickr. I suspect that flickr already knows, as they deleted the comment fairly quickly. However, they did not delete it from the RSS feed, which is how I read them. I will let flickr contact the user whose account was hacked.
