May 22, 2009

Koobface Worm Alive and Wriggling

I ran into this on an antivirus list serv. With so many folks using Facebook, I thought it worth making sure that it got as wide a distribution as possible.. The original posting came from Trend Micro.

Shortly after a phishing attack that targeted the 200 million users of immensely popular social networking site, Facebook, another attack was launched by cybercriminals. This time however, the attack targets not only Facebook users but also members of Tagged, Friendster, MySpace and other networking sites as well.

A new Koobface attack was found, which uses the very same fake YouTube site utilized in another recent Koobface attack, which scared users into breaking CAPTCHA codes for cybercriminals.

Once executed, the Koobface worm searches the affected system for cookies related to social networking sites, then attempts to extract login credentials from them. Once done, it sends a HTTP POST request to a remote server. The server then answers the request with data that triggers the creation of a message that contains a link to a copy of the worm. The said message is then sent to the contacts of the affected user.

Samples of this Koobface worm are detected by Trend Micro as WORM_KOOBFACE.ET, WORM_KOOBFACE.EY, and WORM_KOOBFACE.EX, while the Facebook phishing page has been blocked since May 15, 2008.

Here are previous reports related to Koobface:

Koobface Tries CAPTCHA Breaking
Bogus Facebook, Malware, and a Dancing Girl
New Variant of Koobface Worm Spreading on Facebook
Malevolent Social Networking: Now on Friendster
Malevolent Social Networking: Now on Friendster Worms Wriggling Their Way Through Facebook

Post from: TrendLabs Malware Blog - by Trend Micro


Post a Comment