Koobface Worm Lands on Twitter

By Brian Prince  |  Posted 2009-07-10 Print this article Print

Twitter has suspended the accounts of users infected with the notorious Koobface worm that made its name targeting social networking sites such as Facebook and MySpace.

Koobface spreads by posting messages on the victim's Twitter account with a link that leads to a malicious site that will infect those who visit it with the malware. Researchers at Trend Micro reported that on July 9 a couple hundred Twitter users were infected in the span of a few hours.

Koobface first appeared in 2008, and since then various iterations have touched down on social networking sites from Facebook to Bebo. Just a few months ago, a variant of the worm sought to steal cookies with log-in information for sites such as MySpace.com, MyYearbook.com, Bebo and Hi5 Networks.

According to Trend Micro Advanced Threats Researcher Ryan Flores, Koobface first made its appearance on Twitter a few weeks ago, and used three shortened URLs to lure users to the malicious site. Now, Koobface has upped the ante, and is sending out even more links. The messages being blasted out include Tweets purporting to have home videos and a so-called "Michael Jackson testament."

The attack utilizes shortened URLs, something security researchers are increasingly warning users about as they grow in popularity. Symantec's MessageLabs reported earlier this week they had observed a significant spike in spam containing shortened URLs, and phishers have taken advantage of shortening services in the past to trick users on Twitter into visiting malicious sites.

There are some tools and services that can be used to see the full URLs, such as TweetDeck and the Firefox add-on LongURL.

"The danger of these short URLs is that you don't know where they will take you," warned Matt Sergeant, senior anti-spam technologist at MessageLabs. "They send an e-mail that's hard to stop with URL blocking services because they can't outright blacklist these places like TinyURL. The short URL obscures the real domain name. Spammers have been doing this for a while by trying to find redirection services, and this is the next level of that."

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel