First PipeLine Worm into AOL then Heart Worm winds way into MSN

Posted in Security, Technology by wayne.porter on September 25th, 2006

Last week was interesting and exhausting- literally I feel asleep at the keyboard. First we had the Pipeline Worm (Official Release), then the Heart Worm. (Official Release). Back to back diggs and slashdots take their toll.

On the Heartworm…

Chris Boyd said: “”The perpetrators have made a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online,” said Chris Boyd, director of malware research for FaceTime Security Labs. “Not only do they open up an image of a heart from a site dedicated to tackling online hoaxes, they also apparently named the attack after another online hoax — a virtual card for you — that has been in circulation since 2000. In this case, you really do receive a virtual card, but with a nasty additional ‘bonus.’”

and I add, “Wayne Porter, senior director of special research at FaceTime Security Labs comments, “This is a form of cultural camouflage which we call ‘hoax cloaking.’ It is a defensive construct that adopts the very lore, memes, myth and culture of the Internet to serve as a self-preservation and cloaking mechanism. People using trusted search engines to verify the message will find most reputable security companies and hoax-debunking sites confirm it as a myth and disregard it as harmless.”

Yeah- many have asked just what is “special research”. I really can’t say….but “hoax cloaking” is one of those instances you might see me called in.

Really not surprising, but pretty amazing on how well they tied back the attack to the hoax actually using the good guy’s site in the attack. Panda also noted this same sort of behavior in a similiar attack hours before only it came via e-mail, thus they had no worm to dissect. Would like to meet up with the guys at Panda and see if they names are the same.

Oh gee- two security posts in a row…and i think a third is forthcoming. Back to the grindstone…this was meant to be a personal blog with occasional professional comment.

If you want more color on these particular worms check out the Greynets Blog

Pipeline Worm

HeartWorm.A

 

Ars Technical Security

Popularity: 3% [?]

Share This

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Related Links


Close
E-mail It