Code Shikara

Last updated July 05, 2023

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

Timeline

In 2011, the Code was first identified by the Danish cyber security company CSIS. The AV-company Sophos reported in November 2011 that this threat mainly spreads itself through malicious links through the social network Facebook.^[1]^[2]

In 2013, Bitdefender Labs caught and blocked the worm, which is capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials, commonly known as cybercrime. The infection was originally flagged by the online backup service MediaFire, who detected that the worm was being distributed camouflaged as an image file. Despite the misleading extension, MediaFire successfully identified the malicious image as an .exe-file. The malicious Shikara Code poses as a .jpeg image but is indeed an executable file. As an IRC bot, the malware is simply integrated by the attackers from a control and command server. Besides stealing usernames and passwords, the bot herder may also order additional malware downloads.

MediaFire had then taken steps to address incorrect and misleading file extensions in an update, which identified and displayed a short description by identifying specific file types. To help users for this specific threat, the file sharing service also blocked files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe. Just like usual malware, the Backdoor.IRCBot.Dorkbot can update itself once installed on the victim's computer or other related devices.^[3]

The biggest risk is that someone's Facebook contacts may have had their account already compromised (due to sloppy password security, or granting access to a rogue application) and that the account user has been allured by clicking on a link seemingly posted by one of their friends.

Although the links pretend to point to an image, the truth is that a malicious screensaver is hidden behind an icon of two blonde women. After the code is launched it attempts to download further malicious software hosted on a specific compromised Israeli domain. The malware is currently not present on the Israeli website. All that remains is a message seemingly from the intruders, that says:

Hacked By ExpLodeMaSTer & By Ufuq

It is likely that they are using additional or other websites in continuing spreading their cyber attack(s). Some other popular baits tricking users to click on malicious links include Rihanna or Taylor Swift sex tapes.^[2]^[4]

Statistics

Niger: Due to Information from the Kaspersky Cybermap, Shikara Spam Code has been ranking in April 2017 the Top number 1 in the country of Niger with 77.51% . Place #2 sits as Linguistic Analysis far behind, with 14.7%.^[5]

Code Shikara mainly circulates in following Countries (STATISTICS - April 22nd 2017):

Afghanistan (81.27%)

Romania (78.58%)

Algeria (78.56%)

India (78.46%)

Niger (77.51%)

Turkey (75.49%) ^[5]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you, was a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up window.

<span class="mw-page-title-main">Rogue security software</span> Form of malicious software

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Defensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their occurrence, despite any adverse conditions of a computer system or any mistakes made by other users. This can be achieved through adherence to a variety of general guidelines, as well as the practice of specific computing techniques.

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

The social media platform and social networking service Facebook has been affected multiple times over its history by intentionally harmful software. Known as malware, these pose particular challenges both to users of the platform as well as to the personnel of the tech-company itself. Fighting the entities that create these is a topic of ongoing malware analysis.

References

↑ "CSIS - Exceptional threat intelligence".
1 2 "Facebook worm poses as two blonde women". 29 November 2011.
↑ "Dorkbot Malware Infects Facebook Users; Spies Browser Activities..." 14 May 2013.
↑ "Facebook chat worm continues to spread". 5 December 2011.
1 2 "Kaspersky Cyberthreat real-time map".

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "CSIS - Exceptional threat intelligence".

[autogenerated1-2] 1 2 "Facebook worm poses as two blonde women". 29 November 2011.

[3] "Dorkbot Malware Infects Facebook Users; Spies Browser Activities..." 14 May 2013.

[4] "Facebook chat worm continues to spread". 5 December 2011.

[kaspersky.com-5] 1 2 "Kaspersky Cyberthreat real-time map".

[1]

[2]

[3]

[4]

[5]

v t e Malware topics
Infectious malware	Comparison of computer viruses Computer virus Computer worm List of computer worms Timeline of computer viruses and worms
Concealment	Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer
Malware for profit	Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Malbot Keystroke logging Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats
By operating system	Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses
Protection	Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security
Countermeasures	Computer and network surveillance Honeypot Operation: Bot Roast

v t e Software distribution
Licenses	Beerware Floating licensing Free and open-source Free Open source Freely redistributable Proprietary Public domain Source-available
Compensation models	Adware Commercial software Retail software Crippleware Crowdfunding Freemium Freeware Pay what you want Careware Donationware Open-core model Postcardware Shareware Nagware Trialware
Delivery methods	Digital distribution File sharing On-premises Pre-installed Product bundling Retail software Sneakernet Software as a service
Deceptive and/or illicit	Unwanted software bundling Malware Spyware Trojan horse Worm Ransomware Scareware Shovelware Vaporware list
Software release life cycle	Abandonware End-of-life Long-term support Software maintenance Software maintainer Software publisher
Copy protection	Digital rights management Software protection dongle License manager Product activation Product key Software copyright Software patent Torrent poisoning