Koobface Variant Resurfaces On Facebook
Security experts say that the latest Koobface variant Win32/Koobface is hurling massive spam messages at millions of users on numerous social networking sites such as Facebook, MySpace, Friendster, Hi5, Bebo, Fubar, MyYearbook and Tagged.
During the attack, the Koobface variant connects to the malicious server UPR15MAY.com to acquire information for its spam messages to be sent to contacts of infected users. Facebook and other social networking users are then enticed to click on links embedded in messages that appear to come from someone on their contact lists.
Users receive Facebook spam messages with subject lines such as "What's on your mind?" Other subject lines lure users by suggesting that they were caught doing something embarrassing on video, with (sometimes misspelled) subject lines such as "Be more careful next time and get caught again!" and "Laaugh at oother people?? Llook at yourself!"
Once users click on the embedded links, they are redirected to one of many malicious Web sites that distribute the Koobface binary. One of the redirects takes users to a fake video site ("YuoTube") to download the malicious file "Setup.exe," a Koobface variant designed to steal sensitive information and record keystrokes to obtain users' login credentials. Other variants also download malicious files such as rogue antivirus software.
Experts say that unlike previous versions, the latest Koobface variant has the ability to circumvent patches and security controls, such as antivirus software.
"The malware is very intelligent. It can get around security controls," said Don DeBolt, director of research for the Internet security business unit for Islandia, N.Y.-based CA.
Security experts contend that the Koobface worm has been successful largely because of the inherent trust users put into social networking sites, especially if they think they're receiving a message from someone they know. In addition, the social network environment is a prime target for attackers because users voluntarily provide copious amounts of personally identifying information online.
"It's just an arms race," DeBolt said. "They know these social networking communities are target-rich. If they can get messages into that system, they have a much better hit rate."
As always, users are advised to avoid opening spam messages and clicking on unsolicited links, even if they appear to come from someone they know.
In the meantime, experts say, the Koobface worm is likely to stay around for a while, as new versions become more resilient to security software.
"We'll continue to see Koobface around as long as there are target-rich environments of Internet-based communities where people want to share data and want to share information about themselves," DeBolt said. "They're going to be very much a target for purveyors of malware."