Code Shikara: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 16:18, 12 June 2024

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

Timeline

In 2011, the Code was first identified by the Danish cyber security company CSIS. The AV-company Sophos reported in November 2011 that this threat mainly spreads itself through malicious links through the social network Facebook.^[1]^[2]

In 2013, Bitdefender Labs caught and blocked the worm, which is capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials, commonly known as cybercrime. The infection was originally flagged by the online backup service MediaFire, who detected that the worm was being distributed camouflaged as an image file. Despite the misleading extension, MediaFire successfully identified the malicious image as an .exe-file. The malicious Shikara Code poses as a .jpeg image, but is indeed an executable file. As an IRC bot, the malware is simply integrated by the attackers from a control and command server. Besides stealing usernames and passwords, the bot herder may also order additional malware downloads.^{[citation needed]}

MediaFire had then taken steps to address incorrect and misleading file extensions in an update, which identified and displayed a short description by identifying specific file types. To help users for this specific threat, the file sharing service also blocked files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the Backdoor.IRCBot.Dorkbot can update itself once installed on the victim's computer or other related devices.^[3]

The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a rogue application) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.^{[citation needed]}

Although the links pretend to point to an image, the truth is that a malicious screensaver is hidden behind an icon of two blonde women. After the code is launched, it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message, seemingly from the intruders, that says:

Hacked By ExpLodeMaSTer & By Ufuq

It is likely that they are using additional or other websites in continuing spreading their cyberattack(s). Some other popular baits tricking users to click on malicious links include Rihanna or Taylor Swift sex tapes.^[2]^[4]

References

^ "CSIS - Exceptional threat intelligence".
^ ^a ^b "Facebook worm poses as two blonde women". 29 November 2011.
^ "Dorkbot Malware Infects Facebook Users; Spies Browser Activities..." 14 May 2013.
^ "Facebook chat worm continues to spread". 5 December 2011.

External links

[1] "CSIS - Exceptional threat intelligence".

[autogenerated1-2] "Facebook worm poses as two blonde women". 29 November 2011.

[3] "Dorkbot Malware Infects Facebook Users; Spies Browser Activities..." 14 May 2013.

[4] "Facebook chat worm continues to spread". 5 December 2011.

[1]

[2]

[3]

[4]

@@ Line 1: / Line 1: @@
+{{short description|Computer worm}}
+{{merge to|Dorkbot (malware)|discuss=Talk:Dorkbot (malware)#Merge proposal|date=June 2024}}
 '''''Code Shikara''''' is a [[computer worm]], related to the [[Dorkbot (malware)|Dorkbot family]], that attacks through [[Social engineering attack|social engineering]].
 == Timeline ==
-In 2011 the Code was first identified by the Danish [[cyber security]] company ''CSIS''. The [[Antivirus software|AV]]-company [[Sophos]] reported in November 2011 that this threat mainly spreads itself through malicious links through the social network [[Facebook]]. <ref>{{cite web|url=https://www.csis.dk/|title=CSIS - Exceptional threat intelligence|publisher=}}</ref><ref name=autogenerated1>{{cite web|url=https://nakedsecurity.sophos.com/2011/11/29/facebook-worm-two-blonde-women/|title=Facebook worm poses as two blonde women|date=29 November 2011|publisher=}}</ref>
+In 2011, the Code was first identified by the Danish [[cyber security]] company CSIS. The [[Antivirus software|AV]]-company [[Sophos]] reported in November 2011 that this threat mainly spreads itself through malicious links through the social network [[Facebook]].<ref>{{cite web|url=https://www.csis.dk/|title=CSIS - Exceptional threat intelligence|publisher=}}</ref><ref name=autogenerated1>{{cite web|url=https://nakedsecurity.sophos.com/2011/11/29/facebook-worm-two-blonde-women/|title=Facebook worm poses as two blonde women|date=29 November 2011|publisher=}}</ref>
-In 2013 the [[Bitdefender Labs]] caught and blocked the worm, which is capable of [[Spyware|spying]] on users' [[Web navigation|browsing activities]], meanwhile stealing their personal online/offline information and/or credentials, commonly known as [[cybercrime]]. The [[Vector (malware)|infection]] was originally waved by the [[online backup service]] ''[[MediaFire]]'', who detected that the worm was being distributed camouflaged as an [[image file]]. Despite the misleading extension, ''MediaFire'' successfully identified the malicious image as an [[.exe]]-file. The malicious ''Shikara Code'' poses as a [[.jpeg]] image but is indeed an [[executable file]]. As an [[IRC bot]], the malware is simply integrated by the [[Security hacker|attackers]] from a [[control and command server]]. Besides stealing [[username]]s and [[password]]s, the [[bot herder]] may also order additional malware downloads.
+In 2013, [[Bitdefender Labs]] caught and blocked the worm, which is capable of [[Spyware|spying]] on users' [[Web navigation|browsing activities]], meanwhile stealing their personal online/offline information and/or credentials, commonly known as [[cybercrime]]. The [[Vector (malware)|infection]] was originally flagged by the [[online backup service]] [[MediaFire]], who detected that the worm was being distributed camouflaged as an [[image file]]. Despite the misleading extension, MediaFire successfully identified the malicious image as an [[.exe]]-file. The malicious Shikara Code poses as a [[.jpeg]] image, but is indeed an [[executable file]]. As an [[IRC bot]], the malware is simply integrated by the attackers from a [[control and command server]]. Besides stealing usernames and passwords, the [[bot herder]] may also order additional malware downloads.{{Citation needed |date=June 2024}}
-''MediaFire'' has then taken steps to address incorrect and misleading file extensions in an [[Patch (computing)|update]], which identifies and displays a short description by identifying specific file types. To help users for this specific threat, the [[file sharing]] service also blocks files with double extensions, such as ''.jpg.exe'', ''.png.exe'', or ''.bmp.exe''. Just like usual [[Goodware]], the [[Backdoor.IRCBot.Dorkbot]] can update itself once installed on the victim's computer or other related [[Peripheral|devices]].<ref>{{cite web|url=https://hotforsecurity.bitdefender.com/blog/dorkbot-malware-infects-facebook-users-spies-browser-activities-and-grabs-data-6165.html|title=Dorkbot Malware Infects Facebook Users; Spies Browser Activities...|date=14 May 2013|publisher=}}</ref>
+MediaFire had then taken steps to address incorrect and misleading file extensions in an [[Patch (computing)|update]], which identified and displayed a short description by identifying specific file types. To help users for this specific threat, the [[file sharing]] service also blocked files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the [[Backdoor.IRCBot.Dorkbot]] can update itself once installed on the victim's computer or other related [[Peripheral|devices]].<ref>{{cite web|url=https://hotforsecurity.bitdefender.com/blog/dorkbot-malware-infects-facebook-users-spies-browser-activities-and-grabs-data-6165.html|title=Dorkbot Malware Infects Facebook Users; Spies Browser Activities...|date=14 May 2013|publisher=}}</ref>
-The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a [[rogue application]]) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.
+The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a [[rogue application]]) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.{{Citation needed |date=June 2024}}
-Although the links pretend to point to an image, the truth is that a malicious (i.e.) [[screensaver]] is hidden behind an icon of two blonde women.<ref>https://sophosnews.files.wordpress.com/2011/11/facebook-jpg.jpg?w=640</ref> After the code is launched it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message seemingly from the intruders, that says:
+Although the links pretend to point to an image, the truth is that a malicious [[screensaver]] is hidden behind an icon of two blonde women. After the code is launched, it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message, seemingly from the intruders, that says:
-:::::::::::::::::::[https://sophosnews.files.wordpress.com/2011/11/hacked-website1.jpg?w=640 <big>''Hacked&nbsp;By&nbsp;ExpLodeMaSTer&nbsp;&&nbsp;By&nbsp;Ufuq''</big>].
+:::::::::::::::::::<big>Hacked&nbsp;By&nbsp;ExpLodeMaSTer&nbsp;&&nbsp;By&nbsp;Ufuq</big>
-It is likely that they are using additional or other websites in continuing spreading their cyber attack(s). Some other popular baits tricking users to click on malicious links include [[Rihanna]] or [[Taylor Swift]] [[sex tape]]s.<ref name=autogenerated1 /><ref>{{cite web|url=https://nakedsecurity.sophos.com/2011/12/05/facebook-chat-worm-continues-spread/|title=Facebook chat worm continues to spread|date=5 December 2011|publisher=}}</ref>
+It is likely that they are using additional or other websites in continuing spreading their cyberattack(s). Some other popular baits tricking users to click on malicious links include [[Rihanna]] or [[Taylor Swift]] [[sex tape]]s.<ref name=autogenerated1 /><ref>{{cite web|url=https://nakedsecurity.sophos.com/2011/12/05/facebook-chat-worm-continues-spread/|title=Facebook chat worm continues to spread|date=5 December 2011|publisher=}}</ref>
-== Statistics ==
-* '''''Niger:'''''  Due to Information from the [[Kaspersky Cybermap]], ''Shikara Spam Code'' has been ranking in April 2017 the Top number 1 in the country of [[Niger]] with 77.51 % . Place #2 sits as ''[[Linguistic Analysis]]'' far behind, with 14.7 % .<ref name="kaspersky.com">{{cite web|url=https://cybermap.kaspersky.com/stats/#country=208&type=kas&period=m|title=Kaspersky Cyberthreat real-time map|publisher=}}</ref>
-* '''''Code Shikara''''' mainly circulates in following Countries (STATISTICS - April 22nd 2017):
-: Afghanistan (81.27 %)
-: Romania     (78.58 %)
-: Algeria     (78.56 %)
-: India       (78.46 %)
-: Niger       (77.51 %)
-: Turkey      (75.49 % <small>'''Turkey % per Week !'''</small>) <ref name="kaspersky.com"/>
 == See also ==
-*[[Alert (TA15-337A)]]
+*{{annotated link|Alert (TA15-337A)}}
-*[[Computer worm]]
+*{{annotated link|Computer worm}}
-*[[Dorkbot (malware)]]
+*{{annotated link|Dorkbot (malware)}}
-*[[Malware]]
+*{{annotated link|Malware}}
 ==References==
 {{reflist}}
 == External links ==
 *[https://www.us-cert.gov/ncas/alerts/TA15-337A Alert (TA15-337A) @ United States Computer Emergency Readiness Team] (''[[US-CERT]]'')
@@ Line 43: / Line 36: @@
 {{Software distribution}}
-[[Category:2011 in computer science]]
+[[Category:2011 in computing]]
 [[Category:Botnets]]
-[[Category:Cyberattacks]]
-[[Category:Cybercrime]]
-[[Category:Cyberwarfare]]
-[[Category:Denial-of-service attacks]]
 [[Category:Email worms]]
 [[Category:Exploit-based worms]]
 [[Category:File sharing]]
-[[Category:Hacking (computer security)]]
 [[Category:Hacking in the 2010s]]
 [[Category:Identity theft]]
 [[Category:Instant messaging]]
-[[Category:Internet fraud]]
-[[Category:Internet Relay Chat]]
-[[Category:Internet Relay Chat bots]]
-[[Category:Malware]]
-[[Category:Multi-agent systems]]
 [[Category:Password authentication]]
-[[Category:Social engineering (computer security)]]
+[[Category:Social engineering (security)]]
-[[Category:Spammers]]
 [[Category:Spamming]]
 [[Category:Spyware]]
 [[Category:Windows malware]]
+[[Category:Cybercrime in India]]

v t e Malware topics
Infectious malware	Comparison of computer viruses Computer virus Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer
Malware for profit	Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Infostealer Keystroke logging Malbot Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats
By operating system	Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses
Protection	Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security
Countermeasures	Computer and network surveillance Honeypot Operation: Bot Roast

v t e Software distribution
Licenses	Beerware Floating licensing Free and open-source Free Open source Freely redistributable License-free Proprietary Public domain Source-available
Compensation models	Adware Commercial software Retail software Crippleware Crowdfunding Freemium Freeware Pay what you want Careware Donationware Open-core model Postcardware Shareware Nagware Trialware
Delivery methods	Digital distribution File sharing On-premises Pre-installed Product bundling Retail software Sneakernet Software as a service
Deceptive and/or illicit	Unwanted software bundling Malware Infostealer Ransomware Spyware Trojan horse Worm Scareware Shovelware
Software release life cycle	Abandonware End-of-life Long-term support Software maintenance Software maintainer Software publisher Vaporware list
Copy protection	Digital rights management Software protection dongle License manager Product activation Product key Software copyright Software license server Software patent Torrent poisoning