Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 2nd, 2009

New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks

A new strain of the Koobface worm is spreading across numerous social networking sites. The malware posts invitations to the friends of infected users inviting them to view a video. The linked website tries to trick prospective marks into believing they need an updated version of Adobe Flash Player plugin to view the clip. The software offered is, of course, loaded with Windows-specific Trojan code. This malware establishes a back-door on compromised Windows machines.

The first link takes the victim to a site supposedly hosting a video posted by the same person that sent the message. Not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. This social engineering trick is supposed to make the victim believe that its the actual friend who sent the message.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ by Trend Micro. It is hosted on as many as 300 different unique IP addresses and the number will probably grow. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA by Trend Micro.

Analysis reveals that WORM_KOOBFACE.AZ propagates through,,,,,,,,, It first searches for cookies created by those sites. The worm then connects to a respective site using login credentials stored in the gathered cookies. It searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This also allows hackers to execute commands on the affected machine.

The attack follows the appearance of two rogue applications – “Error Check System” and Facebook closing down – last week which used misleading messages in order to hoodwink users into activating software packages. Neither app spread malware as such but Error Check System has been linked to indirect attempts to attract surfers to sites punting rogue anti-malware (AKA scareware) packages.

Credit: Rik Ferguson, Trend Labs
Credit: The Register

Share this item with others:

More on CyberInsecure:
  • MySpace And Facebook Users Targeted By New Worms
  • Twitter Micro-blogging Compromised Accounts Spread Koobface Worm
  • Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites
  • Botnet’s New Component Imitates Human Facebook Users
  • Social Networks Information Sharing Flaw Exposes Private MySpace Users Photos

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks

    One Response to “New Koobface Worm Variant Spreads Across Facebook, Myspace, Hi5 And Other Social Networks”

    1. Verry detailed explanation about the way this worm works. I have been infected throu music & lyrics sites though, so the issue is spreading widely!!!

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word