Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Koobface Variant Hits Facebook, Targets Other Social Networks



 By: Brian Prince
2009-03-02
Article Rating:starstarstarstarstar / 5


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Researchers at Trend Micro report that a new variant of the Koobface worm is squiggling through Facebook, infecting users and attempting to steal cookies with log-in information for sites such as MySpace.com, MyYearbook.com, Bebo and Hi5 Networks. The Koobface worm first appeared in 2008.

Researchers at Trend Micro are reporting that a new variant of the Koobface worm is spreading on Facebook.

Koobface first appeared in 2008, with separate variants striking members of Facebook and MySpace.com. Now the Koobface worm is back again, with an eye toward stealing cookies for other social networking sites.

According to Trend Micro, the new variant sends Facebook messages claiming to be from a friend. The messages link to a spoofed YouTube video. In an interesting social engineering ploy, the malicious landing page not only displays the friend's name, but also a picture pulled from the person's Facebook profile.

Resource Library:

The page prompts the user to install a new version of Adobe Flash. Users who agree are redirected to a download site for the file setup.exe, which is the new Koobface variant. Trend Micro detects the worm as WORM_KOOBFACE.AZ, and reported March 1 that its researchers had seen more than 300 unique IP addresses hosting the .exe file.

Trend Micro is expecting to see more.

"We're only flagging a few hits at the moment, but the complexity with which this threat has been created shows how much work has been done to social-engineer social networks with the end game of creating [botlike] accounts to send out third-party links to almost anything," said Jamz Yaneza, a threat researcher at Trend Micro.

The latest iteration of the worm runs on Windows 98, ME, NT, 2000 and XP and Server 2003. It sends and receives information by connecting to several servers, allowing hackers to remotely execute commands on a compromised machine.

Once installed, the worm searches for cookies created by a number of social networking sites, including MySpace.com, Hi5 Networks, MyYearbook.com and Bebo. After the cookies are located, the malware attempts to use the user log-in session information stored in the cookies to connect to the Web sites.

From there it searches out the victim's friends and sends an HTTP POST request to a rogue server. As a reply, the server sends the message to the user's contacts with a link to where a copy of the worm can be downloaded.

"We've seen a lot of fine-tuning and development done in the undergroundbut this is an expected eventuality as the rich data from social networks and their reach become more widespread and use is accepted as regular online activity," Yaneza said.





  Reader Comments: New Koobface Variant Hits Facebook, Targets Other Social Networks
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}kw⸲Z4ٓ}b;iEIBv;ӽZ,c l1s8_κ[%/93 XrI*KR?{{~$rhiI1%SxTwI}"I~xkC(7 R(2duk\ԲL3fcѩS7S?`[+,Q  tjOt0]2x;s:&es'cߨ:``1\l8tTA!j :ah-#@I.bfGuwf\.G4HPߢȱ}3{Pe3;6m( !)/F<ub;FVqB z.Y^7C2pj9TN`UFfnڭbH ~-a w\v4#J3v"QcO$ѡUpLJ^tXF>D>8z vur\RJ63Ҧ\SْG]ss\jS/b@RhFbIpt2Xp~blꚑO?LI :a;6]dU~ƷPoǮ3C2w7ߟ-wQwT9mCO|l ͛Px>Au|ӱaKG P5#k8sheYnJXU+Q\(Usx>{oچsY=0Q9Lk{\ӻl_e CKo5-ij^Tt'^O.[a\`'H|Aw"DT.恈JMDAa|Olq5 { PT㍒~wjFZ՜zsH.#=N-bG``%pbQ\:7gSKߺnZ:9?nN|bPeUz(!1"ؕ 3Bz3u7͛Ke{#kl}lzH KtH  Wh:M?)N[_nG߮CׇE[CYCm0Mϑ*bUR2"1?]ć>_OHF,7MysA 黚(-4K[3}>c-? ,_%?f k3 Jo SE@;- ujg j+U*oU: _&T3oH2 ]-s a6ZAL4\ ACxdMil&XJp;Qsm̗V/``(A/g- 5f:]b%waẍ^,ʹc#'^IRYE6\niPY<8> Zn͉*YX^uejZlpY?i!Kouqn5I{Nk@*1 @ Lna p@L݄?1fhksODOAЌ5_AYy=x@F}0~ l$Tw)fh DfOw |-gnr ,_zv҇9 TQ\ })zn75Cp>H_Nw\Գ&VAB glCC{ޡYY3T w^1;= 5WgaE8F<b5i%fQ7=KęR48%1LasW|](U@KӬYKuoo[9(ĿKӺJJ1 -H"ohkoռE_xee8Hq K-Cr`}ίE6Kh/00Ϳl]86p#{+yEUMLXZfFV)9|RP($y<-pX"@7wrR&a+LҨOaOgAu,0Hojh>M/f:s?RlC48EHhR+mneͨPP - "^=@( K ؈㌡U|aXәً ҢwZ^SvˆԿ>Q:O[-z+Uu<8`ELmRGE=B5ϴ!fWhfAf2,syEpl"zd\s˰e0\j}r1+jkܸ~$AKc6CR$Ӟ0/7uX85]͆OCBY)FHy S/;4/_149 _v_uFm<B+p&L6FkwYдJ喺q8cJREe l{sR(DZ 6A`ѥO䱧e^x8>CH&,\$  D(r>TQ)1.#‚_,ZE`PGܔwт.[*(rus/;]ex %7: rF@8@MfS}`1gS:7u:tȕK-K #.Z$ c0kYt/ÊT9 i~>AV:6őG@=q?@TEe¹5`dQеa#EC?! P"7h{ee곹T U;O/&;w>k-}4Ӥ-h0 %5-"? Y LkQsCŕ9 ޯ]Gkj}52J^a߯yYX^ :Ri3 9&~'~֌L:w׍s0USfyr;ïT05`9z{ǚ~;L`ٜܶ WASD9^%Lɹ%wB֮ZoT0pb2^:K@Wj>Lթ4D6sqqv=j1x#'l|\1W*b R=cx{;3SdmjtV;nHCw`ks_{5<@̙!Y y $v=.EЋv}cꮃj&lldǶGe7M3 PTn7n-J~ B55)Ubq4wq#̨y .Ɠ!skg O=̦:Zk3&t]4. y*1a2$ۄ2knI$G a TCf@IWRy 2@iAtA*}/*\FIv⿿辶﩮tל8A|=h^%5͇R*mX.e~ܓNtLÀ1zABR=Y@rrJ+e eP%.8N}+4CZ6wOXM{xKMo$DDOCVGgX&1WKڼ _3Z cCs7{" }M XWI@ ~5}ϼ1V̶\o~gQW M??$ymSv/iӾt Ы^pkC:(#rj {8{R-},/IueSjwg-~1= LAIP 4#5="!F}׆u{)Ul_I6Ep0\<!>n8YR|I{ѽE%{w;Oj܃CFW!zN.ZlfS L k;d8ɳ pdJu\8$]/=^q@ҽn9`B5c5Ng"c EI׏q8aUxy~,$"0) e:=> B.w$`$X*XU2]]4>2sE9^SrPW"EH%qAFϚu_f bt4zUt"ڟ[Ak᷐o)?Oů1OkwtAxW(ktNz8&\1[qNj?!)4t㿜AG$I b.A-H6غJ9$0RJ`"8Ay;6?m[=`Rr%S3U'i.Z5Kb)s-ȔBB49sxР3%dBY]<ӲYGʐ&P, f|ʊ5R!I=YUr{ڀشƧ{6wg KڝƗHȃ ,-I+Q$/AiA0'@R#F[xq'PH Tո Zr[U+?vƇ)!\8)DкO0QH吜gjC>?Te^wZmYq\=r6lN*pb9,_k==˲yӅcdo':$st7#& A0nֳ}s;[R r'x"64lxYwy"Kx~4qjܘƘ:3eSf8: ˲1q>z H-Н>5/y{do&])GIlkf#'䬉q+ћN[{2е}_?I/KisP!OhdLc!I *Ue7=oȜ9%'2{hd,#Qd1׭P2QY:pGҤEsmfW]Mg[f1ryfio}|z} ~2]9PI9w)~=Ң(r_ZD Np5V{QI)*p}=//r`TTzH^8[ڃ} uΕmi6=pm-3pL Z;x6d4Yo A'AXY w!h79 91lPfpvn ֘@lll4!R"hdLrj٢p2[0\kf>m`! \]3 vLextPcȂ7 )pExIayˆ)* )qOJFI}bV^(/G1iЕuYba8νw[̙& Mt0/÷Spe"PGvG,3LYVT=-ϼ? n3︋6F hǴPMc %Wޮ8TrQ=E\fA`mJ3( 9cg3jj>:6'CE|ߘ;"nǥŹcsjɽ/Shd)1πd3DzfQ@ٙ=R2+'.`|d\8j16j?dR7K]jGieqYEH/j1ωW\ZZ-MNQb1ොˬ !ar23Am&+c ԗ7A=:kTyE OL?etIC!>K8,aE"BF {;5'_wp}, _ޯALRIK!ȧ2,H`I7AzY`MzRӑȖȖ1Gj֭&zx!_UJP JTtb;B% X~8 4ԟ-5_Mcj@NX*ұD2^LU5WH!4aEt2a j|Aj(?IRmK# ǂEOnt/Pi1:ҩJbB@  r  o^y}ۚ;SE%%-9_\vs*j:X.I =(RSؒH(5p 3{kbkGZA2G ✷u̷e(̽$/lGAS%uk]zMKM9ȋ3@2)0ϓ:!5ͻߤJPM,au@7k5>a*?.,mK[嗷 &<4;}pՓ>#פo,'TD5W*sB.7`I0d?O0r+ o |r<'+±^dA_AG_2Wq&WJH$Oy]J.w|;w>!KeۊmM53lz`6・zm{k;5T}- I|gw~eKjR5_0 7֦Q+׹35FARvxoUmKJ)Jܙj˕'W۠\/ॐXeBX_OD/ ْ _Р>O1KZ`K tXEw- m{k }1)2;BC }u_-ϭpMwzrCMsXP ,it=gwK]e]bΆtדR(,:$ €a>aGG&/hym[#W $gxʼn~|7ndN46楎vK=%*8`*tI(o 9 1f"G_^ ޒ._bi'6f){@Wkg~$ BWhK"$茣[(.z_STư"ثub UUUU]rNQ5WJ?.  =Ì-&~=D װr.^zjwJܫ5~}oי=ƈ =rZ!  dQ׷5\聾3ݹ'Ox\9gk.aF1.xwe#`뼾uvӂcړN4.]PP jn͢18 @3٧fsk W$*(?ƗvFީ-ERghQ$J=x_QoJj85ɥ̓ oȋ9: o^ie4#B" !]LI&wI]pPߡZ'\e'H1im{?=GlpጝAπh@I+)?WWm=l)MA̜fY_ζo Kfґd )r8\톎DL465wOB09;6[7oĬ]HvJmmZ0sk3q#)A5[oO6௺eulau3^E/߻lȪVƑe]:uRi,Y~y15y3z>& ƗY' ZHcs9w@X2̬,㉅dn+<;vz3ͅ^:=_}>\9&Eu~\#%:_"R9voQy4NXRl MPӬϟf0u!_`n3y+&9v7(ga0QD!LD~2POAf&r副=k"9o!9x8j '{w!{[$M]$qvЏ{"C/TK9=5t^܇Wehyl?mLH\(-V%8@a1D0쎢dߙ-EVg`*Dz+^xF2ǹGa'0-csWF؇\br-BqaIzd&sψ$9QeEMu&^E 0kA(*$lT!'q/rqc +px ̃L,TCA8?e- =H8ll/vp\@kcΩſj9WUVs.gN((#XL~59xHcGa- `{ fl9 sXh[Mw%9 e 7@g1(0ЂC{wn/*~ߊk6G&K*&:0ۑpspm[,&{=qLLh<#Ծ3]F+G^l/9W#=`fXYrR^}ͬG[Tr9.0$&n'kfMMЁHz3T>#bV̯R߅q}#|#+UX;3X>ky(`aAٹ͕jRGh9h06>2qU SxcDU<11t+PHjNT]OpY]XC3 C w>VHVrob[ѺexpyJ"rK`ܶ8c:+>FS.oR@QoIg8m@`m̼4OG|Sx{ ؛WR'\v CRY `Oi$|b "vFf&DT 1 -A`뭛V=C}A.[7VߺU CƋ<:s&3cA[zHY[rA*/OمuE)ޝbB}gn0c\O09?} >͇\n\O5t$rkQCD91kח\5!e 1 `8*gj9rU K$ 2@: xE ?{=jƘ[Hrz>qn#|Y tkn͙FN1A,X_fπ,E,D "}nAm??~e ԋHB}s ^8|XL?q90"([]ă0T]hّ_/@)"p͒uf~6t Vt#ߛjwӟ{,ȏĶnNKL ByNb] $B1Ӝh_u!6{2{xbwsI`RWrts!xW`NJRe }.݁GRti,)_.4&W)Wh 2!#vFCdQԵi`zfrO4vc޸DNפAN[-p;n_Krܺ!*lkE߂/UQvq{}ٺn_3SM·_ meP0<eHF9ũj\ «X]pxIx(bh,.6/~|L*a^e5DU@ +:{ec l^z=5[Q-ƫ#x]6g1R;bP^Z[+!P˔9jz67anq4ħEOL=0[EEJ{(R?_CPj# ݔr&J)?姀AR?/?ogfnC)CL2N^R ?/)A;)ӁwR4N ~;N ~:0N;@}vRy2ecJ9RށNJ9e^\%euݔwAtSOK7E\}\5u ``) [_C }}i0)(I+Ih&:IJCPH.NpSʋq K //?4 )򬔃zvB%X^๔2ௗ%ߧdnle~n_tu CFWX=m */deyQ e-{}ih}0^Z/$|.;Vd{|.v8)nIfpK|{*` U75iZrq[~t^<\Ȭu7m(!O}>YlفKhO WX2-JKcġ]>]ʹ=F{,*f:pbO}vHq1jC{>'K{k 85ϜbYu8 % ~H-M ׳pN08_аs34_ j<} m̹qor`4c[&Hf6J2VJb9qO;F$ôDǼ *+99W!=a`RZ,&K<3 .=m^%d f 5ˡǎ!pCf݊-@ P]:6mۨ iۼx-|yN ڎx@o9X-.#QW!+ fxM31iƪ1iR  {{[2gډ:o,Q8Sc}ӄwYBDøhdգwh9ıiSrO?g b𒻩6a6gD|&ߢ)tO /AD[e3-Vv=_sS [2d[ XJr h;!VɑF?[ >s$o2b8=bՇ<0; V.ҡ-JHo pj1{L.p;1%7Ŵ#50O)$LOd§On3 &`T(k4>'޺|}kd1ck+cIP/~{$_K71 naI39D$~4gI+-=x= %$Id`M݂9&`匘zǞ”$>x*(]v5$$}9= ڤ-P+oTù( cӘ0t~3N瘽HaC+F2}jı"贯Hϱ=8*n)v2R1L"RĠC)`%1W3n,=Gkg_5 B3q< Y8[Ҥwrfcw[/I)H \dz\g;n4zfeTx/ē_| PgWbz`#Yұnmaiւ_6/gwcx<{KV9j[((& ]a=j*If:AXr$sDr1ߠ^+yJ>? T{K3\6LDR}J0zN]j?Nvi? `nwjښ ˎƔaYѶx SO%iO(o\k<>bi xYձ]w O 7g}޴EcHPVWݞ얏 Xo} 8hO.h6A|fKoռr8I W96O-  `쎈my@eZ:H\*,Df1 ΋?Zfø) 3/* Ǣ8DU ]ۼx[9ċGW\2JP'jdVw(l6Z7Y m-pĶxo4CΰҮT)VM#ʥ.Sܟ>Ca҃f }_X (K# Lwnn)ZF15VBTȟctAL?Va˟]zTQٮ7(GL}ݴ+` jzk7D]YtxA&G[0pczΌz[8K cd. , $(jVI{{A0&iE-ȣd`Cv_̈~ph;?҈A wVǰ>BO Sw O80Ux|-h\};Mr,S0#ŸrY)jĮ';]R*玅A-Z14Mo,ckVTfW0KN= >`5>gzC%=sc.&ı`]d1CGj0LtH d9[\_م5&3k9/YH~6 fr"r*]xWI"cXM7xDljW#.r+ Sq|h-]5,{ٗNŧCRI>Rlv<8~vkn a ѰT\ߴg'݋u˦T)ZNJ`b)XFپ