computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
social engineering Social engineering may refer to:
* Social engineering (political science), a means of influencing particular attitudes and social behaviors on a large scale
* Social engineering (security), obtaining confidential information by manipulating and/or ...
.
Timeline
In 2011, the Code was first identified by the Danish cyber security company CSIS. The AV-company
Sophos
Sophos Group plc is a British based security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primarily ...
reported in November 2011 that this threat mainly spreads itself through malicious links through the social network
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
.
In 2013,
Bitdefender Labs
Bitdefender is a Romanian cybersecurity technology company headquartered in Bucharest, Romania, with offices in the United States, Europe, Australia and the Middle East.
The company was founded in 2001 by the current CEO and main shareholder ...
caught and blocked the worm, which is capable of
spying
Espionage, spying, or intelligence gathering is the act of obtaining secret or confidential information (intelligence) from non-disclosed sources or divulging of the same without the permission of the holder of the information for a tangibl ...
on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials, commonly known as
cybercrime
A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing the ...
. The
infection
An infection is the invasion of tissues by pathogens, their multiplication, and the reaction of host tissues to the infectious agent and the toxins they produce. An infectious disease, also known as a transmissible disease or communicable dise ...
was originally flagged by the online backup serviceMediaFire, who detected that the worm was being distributed camouflaged as an image file. Despite the misleading extension, MediaFire successfully identified the malicious image as an
.exe
.exe is a common filename extension denoting an executable file (the main execution point of a computer program) for Microsoft Windows, OS/2, and DOS.
File formats
There are numerous file formats which may be used by a file with a extensi ...
-file. The malicious Shikara Code poses as a
.jpeg
JPEG ( ) is a commonly used method of lossy compression for digital images, particularly for those images produced by digital photography. The degree of compression can be adjusted, allowing a selectable tradeoff between storage size and imag ...
image but is indeed an
executable file
In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a data file ...
. As an IRC bot, the malware is simply integrated by the attackers from a control and command server. Besides stealing usernames and passwords, the
bot herder Bot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program. The infected machine then has become one of ...
may also order additional malware downloads.
MediaFire had then taken steps to address incorrect and misleading file extensions in an update, which identified and displayed a short description by identifying specific file types. To help users for this specific threat, the file sharing service also blocked files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the
Backdoor.IRCBot.Dorkbot
Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or ...
can update itself once installed on the victim's computer or other related devices.
The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a
rogue application
Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on t ...
) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.
Although the links pretend to point to an image, the truth is that a malicious screensaver is hidden behind an icon of two blonde women. After the code is launched it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message seemingly from the intruders, that says:
:::::::::::::::::::Hacked By ExpLodeMaSTer & By Ufuq
It is likely that they are using additional or other websites in continuing spreading their cyber attack(s). Some other popular baits tricking users to click on malicious links include
Rihanna
Robyn Rihanna Fenty ( ; born February 20, 1988) is a Barbadian singer, actress, and businesswoman. Born in Saint Michael and raised in Bridgetown, Barbados, Rihanna auditioned for American record producer Evan Rogers who invited her to the ...
or
Taylor Swift
Taylor Alison Swift (born December 13, 1989) is an American singer-songwriter. Her discography spans multiple genres, and her vivid songwriting—often inspired by her personal life—has received critical praise and wide media coverage. Bor ...
Kaspersky Cybermap
Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
, Shikara Spam Code has been ranking in April 2017 the Top number 1 in the country of
Niger
)
, official_languages =
, languages_type = National languages
* Code Shikara mainly circulates in following Countries (STATISTICS - April 22nd 2017):
: Afghanistan (81.27%)
: Romania (78.58%)
: Algeria (78.56%)
: India (78.46%)
: Niger (77.51%)
: Turkey (75.49%)
See also
*
Alert (TA15-337A)
Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or ...
*
Computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
*
Dorkbot (malware)
Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or ...
*
Malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
