According to Trend Micro, the component automates the following routines: registering a Facebook account, confirming an e-mail address in Gmail to activate the registered account, joining random Facebook groups, adding “friends” and posting messages on their walls.
The point of doing all this, of course, is to infect more users. As it does so, Koobface tries to stay under the radar by checking to see if the account has reached the maximum number of friend requests to avoid alerting Facebook administrators.
“Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook,” blogged Trend Micro Advanced Threats Researcher Jonell Baltazar. “All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.”
The component fetches details from one of the botnet’s available proxy domains, Baltazar continued. The messages it posts on Facebook walls include a link to either a fake Facebook page or YouTube page hosting the Koobface loader component.
“Facebook users are advised to be careful and security-conscious,” Baltazar blogged. “It is probable that the Koobface botnet owns a particular Facebook account.”
For more on Koobface’s recent moves, check here.