Facebook Koobface Worm Targets Other Networking Sites


Facebook is being pummeled by the Koobface worm for the fifth time within the span of a week even as the worm has begun making the rounds on other social networking sites.

In the latest attack, discovered by researchers at Trend Micro, a user receives a link from what appears to be a Facebook friend. Once they click the link, they are taken to a spoofed, and very legitimate-looking, YouTube page, complete with fake comments from "viewers."

The video in question appears to come from the "friend" that sent the user the link, along with his or her name and a pulled Facebook profile photo. In order to view the video, the user is prompted to install a version of Adobe Flash Player, which is actually malicious code that unloads a variant of the Koobface worm once the user hits "install."

Once the malware is launched on a user's system, the malicious worm starts to search for browser cookies, which often store logger and password information. The malware then checks files and applications for sensitive information, sending all the lifted data to an offshore server controlled by the remote attackers. The user's profile is then spammed out to members of their friends list, which further propels the malware campaign.

"They check your address book, comments or internal spam. Then the whole process starts all over again," said Jamz Yaneza, Trend Micro threat research manager. "This one looks special in the sense that compared to the other variants, it didn't' require a rogue application to get it installed."

The U.S. Computer Emergency Readiness Team issued an advisory warning users that the Koobface worm was making the rounds on numerous other social networking sites as well, including hi5, friendster, myyearbook, bebo, and livejournal.

The recent Koobface YouTube attack follows shortly after another scam in which users are warned their account might be terminated with a phony notification alerting them that they had violated the site's terms of service. The users were instructed to click on a link which led to a rogue application named "facebook—closing down!!!." Once installed, the malicious application spammed all of the contact names in the affected user's friends list with the same message, while gathering members' personal data to use for identity theft purposes.

Facebook surpassed MySpace as the most popular social networking site with more than 175 million users worldwide. With the explosive growth and popularity of social networking, security experts say that this rash of attacks targeting Facebook and other sites won't go away any time soon.

"I would say that in some way or other [Facebook has] replaced others as one of the most popular social networking sites today. A year ago it was MySpace," Yaneza said. "It's all about information and all about money, and all about fraud. It's all about stealing information."

Yaneza said that Facebook was starting to crack down on a wave of malware attacks by setting up a vetting and verification process, which might entail providing an icon to ensure the users' security when on the site.

Until then, however, Yaneza advised users to avoid clicking on unknown links that steer them away from the site -- especially if the URL is unfamiliar. And if possible, avoid putting identifying information, such as mother's maiden name, either on the site or as a password or answer to secret security questions, he said.

"People tend to forget or are not aware. They help the bad guys profile them," Yaneza said. "Basically the same security practices you have in the real world will have to be implemented online as well.'