New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks

March 2nd, 2009

New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks

A new strain of the Koobface worm is spreading across numerous social networking sites. The malware posts invitations to the friends of infected users inviting them to view a video. The linked website tries to trick prospective marks into believing they need an updated version of Adobe Flash Player plugin to view the clip. The software offered is, of course, loaded with Windows-specific Trojan code. This malware establishes a back-door on compromised Windows machines.

The first link takes the victim to a site supposedly hosting a video posted by the same person that sent the message. Not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. This social engineering trick is supposed to make the victim believe that its the actual friend who sent the message.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ by Trend Micro. It is hosted on as many as 300 different unique IP addresses and the number will probably grow. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA by Trend Micro.

Analysis reveals that WORM_KOOBFACE.AZ propagates through facebook.com, hi5.com, friendster.com, myyearbook.com, myspace.com, bebo.com, tagged.com, netlog.com, fubar.com, livejournal.com. It first searches for cookies created by those sites. The worm then connects to a respective site using login credentials stored in the gathered cookies. It searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This also allows hackers to execute commands on the affected machine.

The attack follows the appearance of two rogue applications – “Error Check System” and Facebook closing down – last week which used misleading messages in order to hoodwink users into activating software packages. Neither app spread malware as such but Error Check System has been linked to indirect attempts to attract surfers to sites punting rogue anti-malware (AKA scareware) packages.

Credit: Rik Ferguson, Trend Labs
Credit: The Register

Share this item with others:

More on CyberInsecure:

MySpace And Facebook Users Targeted By New Worms

Twitter Micro-blogging Compromised Accounts Spread Koobface Worm

Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites

Botnet’s New Component Imitates Human Facebook Users

Social Networks Information Sharing Flaw Exposes Private MySpace Users Photos

Posted in Data Theft, Malware, Mass Web Attacks, Privacy, Scams, Social Networks, Spam, Trojans & Worms |

Print This Post

This entry was posted on Monday, March 2nd, 2009 at 2:26 pm and is filed under Data Theft, Malware, Mass Web Attacks, Privacy, Scams, Social Networks, Spam, Trojans & Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks”

thinker Says:
March 5th, 2009 at 9:44 am

Verry detailed explanation about the way this worm works. I have been infected throu music & lyrics sites though, so the issue is spreading widely!!!

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.