New Koobface Worm Spreading On Social Networking Sites
by Blight Crusader
Trend Labs is reporting on their blog that a new strain of the Koobface worm has been detected on Facebook. It directs the unsuspecting user to a fake YouTube page, where it directs you to download the latest Flash Player. But, of course, what gets downloaded instead is malware.
Check out the full blog posting to see example screen shots, which show how sophisticated the sting is. From their post:
Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.
Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.
Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well. It first searches for cookies created by the following sites:
- facebook.com
- hi5.com
- friendster.com
- myyearbook.com
- myspace.com
- bebo.com
- tagged.com
- netlog.com
- fubar.com
- livejournal.com
The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.
This continues the disturbing trend in social networking sites becoming more and more vulnerable to such malware attacks. Most users are simply not as careful with sites like Facebook as they normally would be with email (for instance). And until a better way of stopping such attacks is found, look for them to increase in the near future.
