Koobface Abandons Facebook for Easier Attack Vectors

Even a major social-networking worm like Koobface can have Facebook fatigue, as security researchers report that Koobface has not spread its malicious links using the site since February.

Koobface, the worm that wreaked havoc on Facebook last year appears to have stopped using the social-networking site to spread its malicious links, security researchers found.

The last time Koobface tried to infect users was around February 13, researchers at security firm FireEye noted on its Malware Intelligence Lab blog on April 8. The link the scammers used redirected victims to a fake YouTube video that they couldn't watch until they downloaded a specific codec file. The available codec turned out to be a malicious file crafted to compromise the system.

This is not a temporary move, according to Atif Mushtaq, senior threat analyst with anti-malware software provider FireEye. "A continued silence for about two months is not something that can be ignored," Mushtaq said.

Koobface was considered one of the most dangerous social-networking threats making the rounds in 2010. Koobface attackers sent instant-messaging spam to users with strange URLs and a suggestive message to encourage users to click. With the increasing popularity of URL shortening services such as goo.gl, tinyurl and bit.ly, users are no longer concerned about clicking on links that aren't legible or familiar. Since victims couldn't see the actual URL being sent in the messages, they were unaware the links pointed to malicious Websites until it was too late.

FireEye researchers were no longer seeing instructions from the Koobface botnet to zombie systems to post fake messages to compromised Facebook accounts, Mushtaq said. While the gang may not be using Facebook, Koobface the botnet remains alive and well. The FireEye team has observed about 153 live command-and-control servers in the past seven days, Mushtaq said. One active Koobface attack is currently promoting fake pharmaceuticals, said Mushtaq.

The Koobface gang may have decided that targeting Facebook users was no longer as lucrative and required too much effort, Mushtaq speculated. The attacks were "catching too much of the world's attention," and Facebook was proactively blocking malicious URLs, shutting down applications as fast as it found them, and going after known C&C servers.

"I have no doubt that the guys behind Koobface are using other channels to spread their creations," Mushtaq said. He said attackers could be using tactics such as pay-per-install, exploit kits and torrents to spread the malicious links instead of targeting Facebook users.

While Koobface appears to have left the field, there are plenty of attackers who are still targeting Facebook users. A bullying video made the rounds on April 7 exploiting a cross-site scripting flaw. Sophos security researchers noticed a new scam where users were tricked into copy-pasting JavaScript code directly into the browser's address bar. Instead of a malicious application, this scam is built around a Social Tagging Worldwide community. Before users can find out who has viewed their profile, they are asked to "verify" they are valid Facebook users by entering that malicious code, essentially launching a self-inflicted XSS attack.

A recent survey by Eclipse, a United Kingdom-based Internet service provider, found that more than half of British small businesses thought Koobface was a social networking site and 75 percent said they would not recognize a rogue link before clicking on it. Businesses need to be more aware about various malware threats that could propagate through social-networking sites such as Facebook, according to Eclipse.

The name "Koobface" is actually an anagram of "Facebook."