Code Shikara
Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.
Timeline
In 2011 the Code was first identified by the Danish cyber security company CSIS. The AV-company Sophos reported in November 2011 that this threat mainly spreads itself through malicious links through the social network Facebook.[1][2]
In 2013, Bitdefender Labs caught and blocked the worm, which is capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials, commonly known as cybercrime. The infection was originally flagged by the online backup service MediaFire, who detected that the worm was being distributed camouflaged as an image file. Despite the misleading extension, MediaFire successfully identified the malicious image as an .exe-file. The malicious Shikara Code poses as a .jpeg image but is indeed an executable file. As an IRC bot, the malware is simply integrated by the attackers from a control and command server. Besides stealing usernames and passwords, the bot herder may also order additional malware downloads.
MediaFire has then taken steps to address incorrect and misleading file extensions in an update, which identifies and displays a short description by identifying specific file types. To help users for this specific threat, the file sharing service also blocks files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the Backdoor.IRCBot.Dorkbot can update itself once installed on the victim's computer or other related devices.[3]
The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a rogue application) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.
Although the links pretend to point to an image, the truth is that a malicious screensaver is hidden behind an icon of two blonde women.[4] After the code is launched it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message seemingly from the intruders, that says:[5]
- Hacked By ExpLodeMaSTer & By Ufuq
It is likely that they are using additional or other websites in continuing spreading their cyber attack(s). Some other popular baits tricking users to click on malicious links include Rihanna or Taylor Swift sex tapes.[2][6]
Statistics
- Niger: Due to Information from the Kaspersky Cybermap, Shikara Spam Code has been ranking in April 2017 the Top number 1 in the country of Niger with 77.51 % . Place #2 sits as Linguistic Analysis far behind, with 14.7 % .[7]
- Code Shikara mainly circulates in following Countries (STATISTICS - April 22nd 2017):
- Afghanistan (81.27 %)
- Romania (78.58 %)
- Algeria (78.56 %)
- India (78.46 %)
- Niger (77.51 %)
- Turkey (75.49 % Turkey % per Week !) [7]
See also
References
- ↑ "CSIS - Exceptional threat intelligence".
- 1 2 "Facebook worm poses as two blonde women". 29 November 2011.
- ↑ "Dorkbot Malware Infects Facebook Users; Spies Browser Activities...". 14 May 2013.
- ↑ https://sophosnews.files.wordpress.com/2011/11/facebook-jpg.jpg?w=640
- ↑ https://sophosnews.files.wordpress.com/2011/11/hacked-website1.jpg?w=640
- ↑ "Facebook chat worm continues to spread". 5 December 2011.
- 1 2 "Kaspersky Cyberthreat real-time map".
External links
- Alert (TA15-337A) @ United States Computer Emergency Readiness Team (US-CERT)
- Technical information @ Microsoft
- Microsoft assists law enforcement to help disrupt Dorkbot botnets @ technet.microsoft.com