Even a major social-networking worm like Koobface can have Facebook fatigue, as security researchers report that Koobface has not spread its malicious links using the site since February.
Koobface, the worm that
wreaked havoc on Facebook last year appears to have stopped using the social-networking
site to spread its malicious links, security researchers found.
The last time Koobface tried
to infect users was around February 13, researchers at security firm FireEye
noted on its
Malware
Intelligence Lab blog on April 8. The link the scammers used redirected
victims to a fake YouTube video that they couldn't watch until they downloaded
a specific codec file. The available codec turned out to be a malicious file
crafted to compromise the system.
This is not a temporary
move, according to Atif Mushtaq, senior threat analyst with anti-malware
software provider FireEye. "A continued silence for about two months is
not something that can be ignored," Mushtaq said.
Koobface was considered one
of the
most
dangerous social-networking threats making the rounds in 2010. Koobface
attackers sent instant-messaging spam to users with strange URLs and a
suggestive message to encourage users to click. With the increasing popularity
of URL shortening services such as goo.gl, tinyurl and bit.ly, users are no
longer concerned about clicking on links that aren't legible or familiar. Since
victims couldn't see the actual URL being sent in the messages, they were unaware
the links pointed to malicious Websites until it was too late.
FireEye researchers were no
longer seeing instructions from the Koobface botnet to zombie systems to post
fake messages to compromised Facebook accounts, Mushtaq said. While the gang
may not be using Facebook, Koobface the botnet remains alive and well. The
FireEye team has observed about 153 live command-and-control servers in the
past seven days, Mushtaq said. One active Koobface attack is currently
promoting fake pharmaceuticals, said Mushtaq.
The Koobface gang may have
decided that targeting Facebook users was no longer as lucrative and required
too much effort, Mushtaq speculated. The attacks were "catching too much of the
world's attention," and Facebook was proactively blocking malicious URLs,
shutting down applications as fast as it found them, and going after known
C&C servers.
"I have no doubt that the
guys behind Koobface are using other channels to spread their creations,"
Mushtaq said. He said attackers could be using tactics such as pay-per-install,
exploit kits and torrents to spread the malicious links instead of targeting Facebook
users.
While Koobface appears to
have left the field, there are plenty of attackers who are still targeting
Facebook users. A bullying video made the rounds on April 7 exploiting a
cross-site scripting flaw. Sophos security researchers noticed a new scam where
users were tricked into copy-pasting JavaScript code directly into the
browser's address bar. Instead of a malicious application, this scam is built
around a Social Tagging Worldwide community. Before users can find out who has
viewed their profile, they are asked to "verify" they are valid Facebook users
by entering that malicious code, essentially launching a self-inflicted XSS
attack.
A recent survey by Eclipse,
a United Kingdom-based Internet service provider, found that more than half of
British small businesses thought Koobface was a social networking site and 75
percent said they would not recognize a rogue link before clicking on it.
Businesses need to be more aware about various malware threats that could
propagate through social-networking sites such as Facebook, according to
Eclipse.
The name "Koobface" is
actually an anagram of "Facebook."
Email
Print
