Hi all. You may want to be ready for a *possible* support lines flood today. Yesterday I discovered a fast-spreading facebook worm. It spreads by sending messages to all your facebook friends, from your account, asking them to click on a link in the .pl ccTLD. This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670 The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate. The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading. All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days. For now, while users may get infected, their information is safe (unless the worm has a secondary contact C&C which I have not verified yet). It seems like some users may have learned not to click on links in email, but any other medium does not compute. Gadi.
Gadi, Please take a few moments to reflect on: http://www.nanog.org/endsystem.html I'd appreciate it if you'd try and keep future off-topic postings like this to a minimum, as it makes the list difficult to wade through to get to what matters. Regards, Paul (not currently MLC, though I promise to put you in your place once the SC affords me the privlege :) On Thu, Aug 7, 2008 at 12:44 AM, Gadi Evron <ge@linuxbox.org> wrote:
Hi all. You may want to be ready for a *possible* support lines flood today.
Yesterday I discovered a fast-spreading facebook worm. It spreads by sending messages to all your facebook friends, from your account, asking them to click on a link in the .pl ccTLD.
This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670
The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com
I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate.
The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php
The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading.
All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days.
For now, while users may get infected, their information is safe (unless the worm has a secondary contact C&C which I have not verified yet).
It seems like some users may have learned not to click on links in email, but any other medium does not compute.
Gadi.
[top-posting] Now that this worm has been somewhat balked, I'd like to thank the membership for your patience with this off-topic post. I realize it is probably as annoying to some as it was useful to others. My thinking was that on the rare occasion when we can anticipate *possible* and *serious* floods and bottle-necks at ISP tech-support lines, across multiple providers and regions, we should share that information. NANOG remains the best place for such information sharing. While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful. This is a rare occasion indeed, but an explanation and an apology were in order. Thank you, Gadi. On Wed, 6 Aug 2008, Gadi Evron wrote:
Hi all. You may want to be ready for a *possible* support lines flood today.
Yesterday I discovered a fast-spreading facebook worm. It spreads by sending messages to all your facebook friends, from your account, asking them to click on a link in the .pl ccTLD.
This worm is somewhat similar to zlob, here is a link to a kaspersky paper on a previous iteration of it, they call it koobface: http://www.kaspersky.com/news?id=207575670
The worm collects spam subject lines from, and then sends the users personal data to the following C&C: zzzping.com
I spoke with DirectNIC last night and the Registrar Operations (reg-ops) mailing list was updated that the domain is no longer reachable. That was very fast response time from DirectNIC, which we appreciate.
The worm is still fast-spreading, watch the statistics as they fly: http://www.d9.pl/system/stats.php
The facebook security team is working on this, and they are quite capable. The security operations community has been doing analysis and take-downs, but the worm seems to still be spreading.
All anti virus vendors have been notified, and detection (if not removal) should be added within a few hours to a few days.
For now, while users may get infected, their information is safe (unless the worm has a secondary contact C&C which I have not verified yet).
It seems like some users may have learned not to click on links in email, but any other medium does not compute.
Gadi.
Gadi Evron wrote:
My thinking was that on the rare occasion when we can anticipate *possible* and *serious* floods and bottle-necks at ISP tech-support lines, across multiple providers and regions, we should share that information. NANOG remains the best place for such information sharing.
I agree.
While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.
ISP operations are network operations. Fast spreading worms with remediation through DNS configuration that may affect tech-support costs are obviously network related.
Gadi Evron wrote:
While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.
Thing is, I had already heard about the facebook worm via my other sources of info (and a day earlier); same as anyone else who is paying attention to such subjects did. When info like this is spread across multiple lists/sites, the second and subsequent times it is noise instead of signal. I lurk on nanog because of what it focuses on. Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility. --Patrick
On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:
Patrick Giagnocavo wrote:
Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.
As does the days and days of rehash of one of Gadi's postings.
And all of this BS is even *more* off topic than folks are claiming Gadi's post was. This list goes off topic all the time, at least Gadi's post was technical.
On Fri, Aug 8, 2008 at 12:56 PM, brett watson <brett@the-watsons.org> wrote:
On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:
Patrick Giagnocavo wrote:
Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.
As does the days and days of rehash of one of Gadi's postings.
And all of this BS is even *more* off topic than folks are claiming Gadi's post was. This list goes off topic all the time, at least Gadi's post was technical.
Not only was his post technical, it was relevant to operator revenue. "Application" doesn't take these calls, the network operators do. I can't think of a more relevant NANOG post of late. Saving us a headache by predefining an issue seems quite on topic to me. FWIW. YMMV. -M< [ No offense towards "Application" intended.]
On Sat, 9 Aug 2008, Martin Hannigan wrote:
On Fri, Aug 8, 2008 at 12:56 PM, brett watson <brett@the-watsons.org> wrote:
On Aug 8, 2008, at 9:48 AM, Laurence F. Sheldon, Jr. wrote:
Patrick Giagnocavo wrote:
Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.
As does the days and days of rehash of one of Gadi's postings.
And all of this BS is even *more* off topic than folks are claiming Gadi's post was. This list goes off topic all the time, at least Gadi's post was technical.
Not only was his post technical, it was relevant to operator revenue. "Application" doesn't take these calls, the network operators do. I can't think of a more relevant NANOG post of late. Saving us a headache by predefining an issue seems quite on topic to me. FWIW. YMMV.
-M<
At least unlike blackworm, this one's damage could be measured. Gadi.
On Fri, Aug 8, 2008 at 5:33 PM, Patrick Giagnocavo <patrick@zill.net> wrote:
Gadi Evron wrote:
While I realize this mailing list is mostly about network operations and less about ISP operations, we had a discussion in the past where we have seen some in our community do use this information effectively and find it useful.
Thing is, I had already heard about the facebook worm via my other sources of info (and a day earlier); same as anyone else who is paying attention to such subjects did.
When info like this is spread across multiple lists/sites, the second and subsequent times it is noise instead of signal.
He's ruining Nanog, just so he can get self glorification and self gratification in himself as some kind of leader of internet security industry when he really is just a sad fat person who is a nobody. All the best, n3td3v
On Fri, Aug 08, 2008 at 10:27:33PM +0100, n3td3v wrote:
He's ruining Nanog, just so he can get self glorification and self gratification in himself as some kind of leader of internet security industry when he really is just a sad fat person who is a nobody.
All the best,
Clearly not. Moderators? Personal attacks are off topic, right? Cheers, -- jr '"self gratification in himself". furrfu' a -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
On Sat, Aug 9, 2008 at 2:33 AM, Patrick Giagnocavo <patrick@zill.net> wrote:
Turning nanog into a rehash of digg's technology section or the front page of news.com reduces nanog's utility.
--Patrick
Are you saying that all network professionals should read digg or news.com? :-) Btw, slashdot seemed to have missed it.
participants (10)
-
brett watson -
Gadi Evron -
Jay R. Ashworth -
Kelvin Chu -
Laurence F. Sheldon, Jr. -
Martin Hannigan -
n3td3v -
Patrick Giagnocavo -
Paul Wall -
William Allen Simpson