29th September: Important Information (runescape.com)

[fakeitormakeit]

This is why we don't accept the IMs from random people in fully correct grammar saying: "Hello, remember our trip to Europe? Click here to see the pictures."

[ilovecuttingyews]

Over the past few days there have been an influx of newcomers posting things like " LOOK I LURED 1.3B AND A BAJILLION PHATS!" Then they post a bunch of links...I have a feeling that was bubbles.

[reaper88888]

Good thing I never go to any rs-related sites but Tip.it, have fully updated A/V, use an onscreen keyboard to type my password, never open unknown emails, and scramble my password when I type it... Even if I did get the virus, no biggie, I've got a bank pin, I never log off without banking, and I've got all my recovery q's set...

 

 

 

 

 

Massive case of paranoia ftw, eh? :)

[RoswellCrash]

For any of you techno geeks out there....are Ad Aware SE and ZoneAlarm good enough?

 

 

 

Zone Alarm is a firewall that's fine, Ad-Aware SE is good you got an Anti-Virus?

[Winner5555]

They really should have used one of the other names to talk about it... describing a vicious, evil worm while using the name "bubbles" sort of detracts from the mood.

 

 

 

In my opinion, bubbles sounds a little too innocent, so even though the virus maker probably used the name so people wouldn't think it was so bad, it probably still drew caution due to it having such a weird name.

[Umega]

Luckly for me the only "3rd party site" I visit is Tip.it, which I trust.

 

Or doesn't that matter? :uhh:

[ilovecuttingyews]

For any of you techno geeks out there....are Ad Aware SE and ZoneAlarm good enough?

 

 

 

Zone Alarm is a firewall that's fine, Ad-Aware SE is good you got an Anti-Virus?

 

 

 

Zone Alarm is both anti-virus and anti-spyware

[PhaperPlane]

For any of you techno geeks out there....are Ad Aware SE and ZoneAlarm good enough?

 

 

 

Zone Alarm is a firewall that's fine, Ad-Aware SE is good you got an Anti-Virus?

 

 

 

Zone Alarm is both anti-virus and anti-spyware

 

 

 

I use Zone Alarm as well, you should be fine as long as you keep it updated an run a virus scan every week :)

[Wachtwoord]

I wonder in what age you live if you don't have an up-to-date firewall and anti virus program...

[Randox]

Not to mention every single one of you should be using Firefox too.

 

 

 

I use FireFox now. :)

 

 

 

I'll be more careful then..

 

 

 

Actualy, in my case IE explor is WAY safer. Vista runs a 'safe mode', so things can only be writen to the temp folder. For ANYTHING, to be written outside that folder, the computer has to get manual permision from the human user to allow it, so worms and what not can never leave the temp. Of course a manualy initiated download is also permission since you normally specify a destination outside of temp.

 

 

 

But ya, AVG is great, if you pay for it, it will do spyware and maleware too. Spysweeper is superior to AVG, does everything and has a 14 day free fuly functional trial.

[Albel]

This scared me to death when i read this, :ohnoes: when i get in my computer at home im going to get new anti-virus program...please let me be in time :pray:

[Latinoking]

LOL I got McAee, Spy Sweeper, Ad Adware. I'm thinking of also getting Norton and ask my friend for his full version of McAfee.

 

 

 

Thank God that RuneScape is blocked at my school. :D (They don't use a very good firewall/security system)

 

 

 

To the people who might get paronid and stuff. Don't. Drink a glass of water and just scan all of your files. C and D drivers. Delete all cookies and temp internet files. You should be safe.

 

 

 

If you have no security system on your computer and you go on alot of sites..... SHAME ON YOU. There's free ones out there! GET THEM!

 

 

 

This sorta makes me question Swift Switch though.

[ilovecuttingyews]

For any of you techno geeks out there....are Ad Aware SE and ZoneAlarm good enough?

 

 

 

Zone Alarm is a firewall that's fine, Ad-Aware SE is good you got an Anti-Virus?

 

 

 

Zone Alarm is both anti-virus and anti-spyware

 

 

 

I use Zone Alarm as well, you should be fine as long as you keep it updated an run a virus scan every week :)

 

 

 

I update it whenever I can, and I have it set to a scan every night while I sleep :D

[Cabbage_Boii]

heh my avg auto scanned today, im not too worried i dont realy click "unknown links"

 

:roll:

[Viv]

LOL I got McAee, Spy Sweeper, Ad Adware. I'm thinking of also getting Norton and ask my friend for his full version of McAfee.

 

 

 

Thank God that RuneScape is blocked at my school. :D (They don't use a very good firewall/security system)

 

 

 

To the people who might get paronid and stuff. Don't. Drink a glass of water and just scan all of your files. C and D drivers. Delete all cookies and temp internet files. You should be safe.

 

 

 

If you have no security system on your computer and you go on alot of sites..... SHAME ON YOU. There's free ones out there! GET THEM!

 

 

 

This sorta makes me question Swift Switch though.

 

 

 

 

 

 

 

same i hope its not swift swich...and i updated my antivirus program and running a scan cause if it is swift swich.. :uhh:

 

 

 

gonna use official rs thing til it clears up i need my account to live =0

[ayden7794]

I think im in the clear. The only file I think I opened or whatever in the last few weeks was the mirc channel for tipit.

[happybappy]

I don't have to worry because I have a mac. pwned. :P

[OldDucky]

Currently I have Nortan Anti Virus, And Pop Up Blocker Installed In my computer. Everyone as Jagex said, Please be aware of links you click on. And don't worry :shame: !

 

 

 

\ Lil Ol' Ducky

[sithlord_man]

good thing i have 2...

[4nr]

I use NOD32. Updates it's virus signatures 3 or 4 times a day. I'm not worried :)

[Latinoking]

People I looked into this worm and I now know why Jagex pointed this out!

 

 

 

This thing is really horrible.

 

 

 

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

 

 

 

So even if you got protection you might still be S.O.L.

 

 

 

Source: Source Click

[flying_death_bombs55]

People I looked into this worm and I now know why Jagex pointed this out!

 

 

 

This thing is really horrible.

 

 

 

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

 

 

 

Source: Source Click

 

 

 

I do NOT trust that link, post the whole thing here if it is real.

[Latinoking]

People I looked into this worm and I now know why Jagex pointed this out!

 

 

 

This thing is really horrible.

 

 

 

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

 

 

 

Source: Source Click

 

 

 

I do NOT trust that link, post the whole thing here if it is real.

 

 

 

Whatever no need to go on Panic Mode dude. Chill Out

 

 

 

September 24, 2007

 

 

 

Bubbles the worm adds keylogger

 

Filed under: Security

 

 

 

As the so-called Bubbles worm continues to wind its way across the Web, passing itself along via the contact lists and chat feature of people's Skype VoIP calling software, researchers have now isolated a far more devious iteration of the virus.

 

 

 

According to experts working on the SpywareGuide blog -- which is run by security vendor FaceTime Communications -- one new version of the threat has moved it from nuisance stage -- it previously posted the "Bubbles" screensaver in Windows onto affected users' machines -- to the nasty stage -- adding a keystroke logging program.

 

 

 

As another twist on the attack, the latest version of Bubbles also appears to take aim at users of the Runescape massive online multi-player game, one that is known to be popular among younger users, specifically teens.

 

 

 

Now, most of you enterprise security readers may think that means you don't have to worry, but it's an interesting bit of social engineering that could easily be used to create subsequent versions that might be aimed at professionals.

 

 

 

You should also consider that people in your company much older than teens may already be playing such games.

 

 

 

(Am I the only one reading this who knows otherwise normal, adult people who need a trip to Worlds of Warcraft anonymous?)

 

 

 

Anyway, the trick displayed by Bubbles -- aka Ramex, Skiki or Pykspa -- adds to its existing ability to shut down a PC's anti-virus defenses, a pretty neat attack on its own. In addition to dropping the keylogger, it watches for PCs running Runescape and attempts to steal log-in data.

 

 

 

So, what if someone did the same thing for LinkedIn, or Salesforce.com or something? Now you get the idea.

 

 

 

Basically, it doesn't matter if you're a gamer or not if you get the virus, because according to the researchers: "it logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll."

 

 

 

Fun, fun. And: "It shows applications that have run, any action taken within the application, any text typed, and any Web sites visited."

 

 

 

Then: "Now that it's effectively stealing every piece of information on the victim PC it's time for the worm to spread to every Skype contact."

 

 

 

Nice.

 

 

 

This is proof positive that something like Bubbles -- believed to be create by a group of young hackers who identify themselves as "Youngsters Against McAfee" (YAM) -- can be quickly and easily manipulated into something much worse, and something that can be used to attack everyone from children to adults.

 

 

 

And while this one only targets the IM chat feature in Skype, most security researchers are saying "stay tuned" when it comes to the development and distribution of more sophisticated threats that attack VoIP itself.

 

 

 

Now ask yourself, is anyone in your company using VoIP software, and what have you done to secure it?

 

 

 

Happy? Get a key scrambler like me if you're that scared. (It encrypts keystrokes; which sends random codes if I do get keylogged \ )

[the123king]

The worm is targeted to runescape users.

 

taken from:

 

http://blog.spywareguide.com/2007/09/bubblesfor_kids.html

 

EDIT: the copy paste didnt include the pictures here. the link above has the full text and pics. and if you don't trust that link, remember i do hold legend status here. 8)

 

 

 

Bubbles...For Kids![/url]":3aavbg1g]The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

 

 

 

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

 

 

 

 

 

 

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo[Caution: Executable File]:

 

 

 

 

 

 

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

 

 

 

 

 

 

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

 

 

 

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

 

 

 

 

 

 

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

 

 

 

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher

 

Additional Research: Deepak Setty, Senior Threat Researcher

 

 

 

Posted by Chris Mannon on September 19, 2007 01:33 PM | Permalink

 

[Harrington]

I have so much junk on my PC that a full scan took just over an hour. I appear to be clean though, so fingers crossed :pray: