Koobface Variant Hits Facebook, Targets Other Social Networks

Researchers at Trend Micro are reporting that a new variant of the Koobface worm is spreading on Facebook.

Koobface first appeared in 2008, with separate variants striking members of Facebook and MySpace.com. Now the Koobface worm is back again, with an eye toward stealing cookies for other social networking sites.

According to Trend Micro, the new variant sends Facebook messages claiming to be from a friend. The messages link to a spoofed YouTube video. In an interesting social engineering ploy, the malicious landing page not only displays the friend’s name, but also a picture pulled from the person’s Facebook profile.

The page prompts the user to install a new version of Adobe Flash. Users who agree are redirected to a download site for the file setup.exe, which is the new Koobface variant. Trend Micro detects the worm as WORM_KOOBFACE.AZ, and reported March 1 that its researchers had seen more than 300 unique IP addresses hosting the .exe file.

Trend Micro is expecting to see more.

“We’re only flagging a few hits at the moment, but the complexity with which this threat has been created shows how much work has been done to social-engineer social networks with the end game of creating [botlike] accounts to send out third-party links to almost anything,” said Jamz Yaneza, a threat researcher at Trend Micro.

The latest iteration of the worm runs on Windows 98, ME, NT, 2000 and XP and Server 2003. It sends and receives information by connecting to several servers, allowing hackers to remotely execute commands on a compromised machine.

Once installed, the worm searches for cookies created by a number of social networking sites, including MySpace.com, Hi5 Networks, MyYearbook.com and Bebo. After the cookies are located, the malware attempts to use the user log-in session information stored in the cookies to connect to the Web sites.

From there it searches out the victim’s friends and sends an HTTP POST request to a rogue server. As a reply, the server sends the message to the user’s contacts with a link to where a copy of the worm can be downloaded.

“We’ve seen a lot of fine-tuning and development done in the underground-but this is an expected eventuality as the rich data from social networks and their reach become more widespread and use is accepted as regular online activity,” Yaneza said.