Facebook Malware Threat Koobface Unfriends Social Network

Some say a leopard can't change its spots. That may be true, but malware is a totally different animal.

Koobface, arguably the most notorious piece of malware targeting Facebook, has stopped using the social network to spread, according to research from security firm FireEye. An anagram of Facebook, Koobface was first detected in 2008. In 2009, a more robust version appeared, and variants have been seen targeting a number of social networks including MySpace, Twitter and hi5.

But according to FireEye security researcher Atif Mushtaq, Koobface has now lost interest in Facebook, despite -- or perhaps because of -- its popularity with millions of people around the world. It has been roughly two months since the company saw Koobface trying to pollute Facebook, he blogged. ’All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts,’ he wrote. ’Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored.’

The change follows a November 2010 report by the Information Warfare Monitor (IWM) that revealed how the gang behind Koobface made more than $2 million between June 2009 and June 2010 through pay-per-click and pay-per-install affiliate programs.

Sponsored post

In the past, the malware typically spread on Facebook using shortened URLs that would direct users to a fake YouTube video that asked them to install a fake codec so they could watch the video. Those who were duped into installing the file would be compromised, and the cycle of link postings and infections would continue.

Mushtaq speculated that the motivation behind dropping Facebook as an attack vector is due to the attacks causing too much attention. ’By not using Facebook as its primary infection vector, Koobface will make Facebook lose interest in it, one less enemy,’ he blogged. ’I have no doubt that the guys behind Koobface are using other channels to spread their creations like pay per install, exploit kits and most recently torrents.’

Next: Koobface Lives On

But the sudden disinterest in Facebook does not mean Koobface is dead. According to Mushtaq, around 153 live command and control servers were observed between April 1 and April 8, and one Koobface attack was seen promoting fake pharmaceuticals.

’Koobface's actual payload has always downloaded different malicious components onto the infected system,’ he blogged. ’This may include its own sub components and/or third party malware as part of a pay per install service. This activity is continuing at the moment without a change.’

Meanwhile, YAHOS, a modified version of an old IRC bot commonly known as SdBot or Reptile, has added a new module to target Facebook and MySpace. YAHOS uses Facebook’s instant messaging feature to send fake messages to a user’s friends to trick them into visiting an external Web site hosting malicious terms, Mushtaq noted.

The researcher told CRN that YAHOS has been targeting Facebook since January, and was first seen going after MySpace in April of 2010.

’YAHOS’s main payload is to drop other malware onto the infected system,’ he explained. ’These malware are dropped as part of a pay-per-install service. For example, at the moment, I can see YAHOS dropping a well-known information stealer TDSS (famous of its C&C communicates over SSL) onto the infected machine. Moreover it has also been seen promoting different affiliate Web sites by opening fake pop ups on user’s screen.’

Unfortunately social media attacks are akin to a game of Whack-A-Mole, said Chester Wisniewski, senior security advisor at Sophos. ’While the Koobface gang may be reorganizing elsewhere the likejackers, Palevo (what FireEye are calling YAHOS) gang and others are filling the gap, if not increasing the frequency Facebook users are being hit with scams,’ he said.