It’s a little known fact that the month of May is actually Zombie Awareness Month.  While many pay homage with movie marathons and even reenacting zombie activities (well, some zombie activities) during pub crawls and horror conventions, we thought we’d give you some life-saving details on how to stop a different kind of zombie… The Zombie Computer! While an infected zombie computer won’t eat your brains for sustenance, they can still inflict a great deal of pain and misery to computer users.

A zombie computer allows an unauthorized person to gain control over another user’s computer. The infection is typically the result of a hacker, malicious Web site, email or even thumb drive. When the zombie computer is active, it can be found mindlessly roaming cyberspace, receiving commands and carrying out tasks. Commands often include downloading malicious software, spamming and launching distributed denial of service (DDoS) attacks. While older zombies were interested in fame, glory and your computer’s brains, today’s zombies are far more nefarious in that they’re now finding ways to trap your keystrokes in order to gain access into your bank accounts!

This brings us to today’s zombie computer survival guide.

The most likely way a computer becomes infected is by landing on a malicious link. To give you an example of how links can come from anywhere, take a look at the Koobface botnet that continues to infect Facebook users. That virus was spread through video links via Facebook friend messages.

While it’s not always easy to tell when you’ve become infected, sometimes you can pick up clues from other sources such as your friends. In the example of Koobface, it may have sent an infected video link to one of your friends with the caption “LOL, you have to check this video out.” Your friend who received the link may know that:

1.       You don’t ever send video links to your friends

2.       You never use the term LOL in your texted conversations

In either of these cases, a smart friend will ping you back and ask, “Why did you send this video to me?” If you know you didn’t send a video link to your friend, you can pretty much bet you’ve become infected or that your account has been compromised.

While you can’t kill a zombie computer by shooting it in the head, the best way to disable it and then kill it is to quarantine it (and the best way to do that is to disconnect the suspected zombie from the network). Then run a virus scan, which, if your software’s up to date, should find it and rub it out.

While real-life zombies aren’t too bright or fast on their feet, zombie computers can be quite devious. Therefore, the best line of defense is to prevent infection in the first place; an initial infection can grow worse over time and, well, you know what happens. And nobody likes a zombie.

Derek Manky contributed research to this report

While the next generation of tech has arguably arrived, it is simply a fact now that social networking sites and the blogosphere have become an integrated part of many peoples lives – some may even call them home (at least to their browsers). In 2008, we predicted the wave of spam that would hit these “Web 2.0″ platforms as it was a natural target for spam to migrate to after years of living inside of mass mailers. Indeed, throughout the year of 2008 we witnessed a barrage of attacks on these sites: malicious social applications, “Spam 2.0“, worms such as Koobface, XSS exploits, and various phishing campaigns. Here we are, a year and a half later and the spam attacks not-surprisingly continue.

Amongst all of this activity, more platforms with further complexity continue to arise and gain popularity, such as micro-blogging site Twitter. Naturally, some of the similar aforementioned attacks have followed as well. One of the effective mechanisms of next-generation worms traversing through linked accounts on social networking sites is that malicious links are sent out from one connected contact to another. Since most of these contacts presumably know each other, there is a higher level of trust – and a tendency for any recipient to let their guard down when clicking on these links. Most threat activity we have seen on social networking sites come from harvested accounts, from worms like Koobface and phishing campaigns. These accounts are typically used in ad-hoc fashion to blast out messages or invites to their contacts. Mass mailers, now typically hosted on botnets, follow the same pattern: they harvest accounts, and send out spam to as many contacts as possible – and have been doing this for a very long time. Enter targeted attacks.

There has been an increasing trend of targeted attacks, ones that are premeditated and delivered to usually only a handful of recipients, if not just one. These are often delivered as poisoned documents that trigger exploits, and drop malware such as keylogger trojans. For a detailed investigation, you may read further here. In parallel with the increasing targeted attack front, we have witnessed an increase in document exploit activity. Figure 1 below shows a 6 month window of detected activity for common exploited document formats: XLS, DOC, and PDF:

With the amount of attacks that are circulating on next generation platforms, “Web 2.0″, whatever you want to call it – it is only a matter of time until cyber criminals become more aggressive and innovative with their methods. They have already started this transition and are in full-swing with targeted attacks through traditional e-mail, so it is likely that they will follow suit and expand their horizons to new channels. Harvested accounts from social networks are primed for targeted attacks, and in theory would be even more effective than the already dangerous targeted attacks through traditional e-mail. This is because of several factors:

1. Social networks host a wealth of information that would assist in social engineering hooks (think personal information and profiles, messages archived / posted, etc)
2. User bases have exploded on popular social network sites, and everybody is participating: from end users, celebrities / officials and enterprise (marketing, PR, executives, the list goes on)
3. Next generation platforms not only support the basic attack vectors that e-mail does (files and malicious links), but offer much more opportunities for attack, innovation and expansion
4. As I already pointed out, social networking rings / established contacts have a high degree of trust already

Framework is already in place to siphon account credentials with ease, as we have witnessed over the last year. With favored targeted attack methods becoming quite active (Figure 1 – poisoned documents), and ample opportunity on the horizon, it is suffice to say that the Internet is indeed a scary and hostile place. Always try to validate the identity of any contact, especially when file attachments or malicious links are involved.

Our sensors (i.e. our digital media person, a rabid fan of Facebook) caught today some interesting Facebook private messages. One of such, sent by a “Friend” to about 100 contacts of hers, merely consisted in a domain name, as can be seen below:

Fortunately for Daniel, he did not know what to do with it (or he knew, but did not want to); yet other recipients may have recognized a domain name, and entered it in their browser’s address bar, out of curiosity. After all, that’s from Martha, and she usually sends rather funny links.

Of course, the link was not actually from Martha, but rather from a cyber criminal having compromised her account. Fortunately, unlike Martha feared (but one is never too careful, and Martha is wise), the link did not lead to a virus-loaded page, but to a “pharmacy shop” belonging to the infamous “Canadian Pharmacy Ring“, and registered at “Directi Internet Solutions” (the new name of the infamous EST Domains registrar). In a nutshell, a typical case of spam 2.0. But while spamvertizement has happened before on Facebook Walls, and worms such as Koobface did leverage Facebook Private Messages to propagate, to our knowledge it’s the first instance of spam being distributed via Facebook Messages.

Another point worth mentioning is that while to Daniel’s eyes (if we assume his reply was ironic), junglemix.in was obviously a domain name, it was not at all the case to Facebook filters. We have shown in a previous post how Facebook wraps all urls featured in messages, so as to retain control on the “clicks” performed by recipients, even if those recipients read the message from their regular email account. This one obviously went under the radar, most likely because it did not feature ‘http://’, ‘www’, and used a domain extension (.in) that is also a (very) common word.

The consequence is that although Facebook did react fast, deleting the messages in the Facebook boxes, those which have already reached the regular mailboxes of recipients (most people do have the “forward messages to my email” option enabled), are still there, unwrapped, so Facebook cannot deny access to the link. The downside for criminals, of course, is that it is not clickable.

The Koobface worm scouring Facebook since last July, and which made the headlines again this week, is certainly beginning to redesign the concept of “friend. ” The “acquaintance from high school you’ve never talked to since you added her/him” might now be the “acquaintance from high school you’ve never talked to since you added her/him and who occasionally sends links to sites loaded with viruses.”

While Koobface has redefined this friendship concept, it’s not the only thing: It’s redefined the URL redirection policy of Facebook.

Indeed, URLs used to be left “as is” in friends’ private messages — assuming that they did not lead to a malicious site, of course. This is the very reason why Koobface “first-click URLs” are a mere hop through a reputable site (Google Reader, Google Picasa…), which in turns redirect unfortunate users to the final, malicious site (Facebook is not going to blacklist Google, right?).

Now and then, URLs included in messages are being automatically wrapped up by Facebook, in the following fashion:

URL: http://www.example.com
Wrapped URL: http://www.facebook.com/l.php?u=http://www.example.com

The latter is called a “web redirector.” Upon clicking on the wrapped URL, users are “going through” Facebook before reaching the final destination (here, www.example.com). What is really the point in force-wrapping URLs in redirectors? Simple: Friends’ messages are not only sent to the recipient Facebook account within the site, but are also e-mailed to the recipient external mailbox (Gmail, Hotmail, Yahoo Mail, etc.). Wrapping URLs in redirectors therefore allows Facebook to track clicks even when they are performed from the recipient external mailbox.

In our precise case, this serves a security purpose: even once malicious messages have been successfully emitted, users happily journeying toward the malicious final site from their mailbox can still be stopped at the redirector level.

It does make some sense. One may very well wonder if the cure is not worse than the disease, however. Indeed, web redirectors raise multiple security issues, which have been known since at least 2003 and have many times generated indignation in the ranks of the security industry.

Simply put, open web redirectors allow spammers, phishers, fraudsters, scammers and other cyber criminals to “wash” their malicious links with the name of a reputable site, fooling URI filters and human users alike.

Indeed, wouldn’t http://www.facebook.com/l.php?u=http://my%2Emalicious%2Esite%2Ecom be more likely to be trusted than http://my.malicious.site.com? This is where it all becomes ironic: since precisely this redirector is meant to wrap malicious links, Facebook might be seen as unwillingly giving an edge to cyber criminals without the later ones even being aware of it.

Granted, when going through Facebook redirector, users are presented a message stating:

“You are about to leave Facebook to visit this address: [...] For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site.”

Let’s therefore grant Facebook’s the title of “semi-open redirector.” Yet, users are nowadays so much watered by warnings anywhere they click, that the efficiency of this one may be questioned. Besides, a base of social engineering (directly inherited from experimental social psychology) is that once the decision to perform the first click has occured, little events could reverse the process of commitment to reaching the destination.

So, automatic URL-wrapping, a good idea or a double-edged sword forced by Koobface’s pressure?