Researchers at Trend Micro report that a new variant of the Koobface worm is squiggling through Facebook, infecting users and attempting to steal cookies with log-in information for sites such as MySpace.com, MyYearbook.com, Bebo and Hi5 Networks. The Koobface worm first appeared in 2008.
Researchers at Trend Micro
are reporting that a new
variant of the Koobface worm is spreading on Facebook.
Koobface first appeared in 2008, with separate variants striking members of
Facebook and MySpace.com. Now the
Koobface worm is back again,
with an eye toward stealing cookies for other
social networking sites.
According to Trend Micro, the new variant sends Facebook messages claiming
to be from a friend. The messages link to a spoofed YouTube video. In an
interesting social engineering ploy, the malicious landing page not only
displays the friend's name, but also a picture pulled from the
person's Facebook profile.
The page prompts the user to install a new version of Adobe Flash. Users who
agree are redirected to a download site for the file setup.exe, which is the
new Koobface variant. Trend Micro detects the worm as WORM_KOOBFACE.AZ, and
reported March 1 that its researchers had seen more than 300 unique IP addresses
hosting the .exe file.
Trend Micro is expecting to see more.
"We're only flagging a few hits at the moment, but the complexity with
which this threat has been created shows how much work has been done to social-engineer
social networks with the end game of creating [botlike] accounts to send out
third-party links to almost anything," said Jamz Yaneza, a threat researcher
at Trend Micro.
The latest iteration of the worm runs on Windows 98, ME, NT, 2000 and
XP and Server 2003. It sends and receives information by connecting to several
servers, allowing hackers to remotely execute commands on a compromised
Once installed, the worm searches for cookies created by a number of social
networking sites, including MySpace.com, Hi5 Networks, MyYearbook.com and Bebo. After the
cookies are located, the malware attempts to use the user log-in session
information stored in the cookies to connect to the Web sites.
From there it searches out the victim's friends and sends an HTTP POST
request to a rogue server. As a reply, the server sends the message to the user's
contacts with a link to where a copy of the worm can be downloaded.
"We've seen a lot of fine-tuning and development
done in the underground-but this is an expected eventuality as the rich data
from social networks and their reach become more widespread and use is accepted
as regular online activity," Yaneza said.