Internet Security Systems - AlertCon(TM)

No Thanks Koobface

Posted by Jon Larimer on November 25, 2009 at 3:22 PM EST.

This morning, eWeek published its IT Security Predictions for 2010 article, in which Robert Freeman and I were quoted regarding upcoming threats. I spoke to them about social networking  threats, and coincidentally, within minutes of the article going live, I got this message from a friend on Facebook:

I was immediately suspicious of this link. First of all, I haven’t been in any videos recently. Second, the link was to a URL shortening service – bit.ly, and not one of the standard video publishing sites. Also, other than being initially friended by this person, we hadn't actually talked or exchanged messages with each other in years.

The bitl.ly link forwards to a blogspot.com site, which includes some obfuscated Javascript that sends you to another site. After a few rounds of forwarding, this page is displayed saying that I need to install Shockwave Flash:

Clicking the button prompts the browser to download setup.exe:

Setup.exe is a new variant of the Koobface trojan. I say it’s a new variant because only one of the 42 virus scanners on virustotal.com was able to detect it when it was first submitted. Now the detection rate is much higher, and most AV companies should have updated signature sets by the end of the day.

The Koobface trojan has been gaining more capabilities as it has evolved. It can spread via several social network sites by stealing your credentials and using the networks’ messages capabilities to send the infectious link to your friends and family. It will download your profile information and send it to a remote server owned by the attackers. It will install a web server on your computer and spread links to it to avoid all of its malicious links getting blacklisted. Once infected, your computer can be remotely controlled by these attackers, and they have the ability to send updates to your computer to give this trojan even more capabilities in the future.

Attacks like these involving social networks are increasingly common. Social networks are a relatively new avenue of attack for cyber criminals, at least compared to e-mail. Here are a few tips to prevent getting infected with a social-networking based worm:

  • Keep your antivirus software up to date! Most AV vendors publish updates every hour or even more frequently.
  • Always be suspicious of links from friends, private and public. Facebook warns against third-party links when you click on them – heed the warning.
  • Don’t save your password. Social network worms and Trojans will scour your computer for cookies that let them log on to these sites as you.
  • Don’t click links in e-mails from social networks. It’s safer to manually log onto the site and check the messages there. The e-mail could be a phishing attempt or a link to malware.

For those of you in the US, have a happy and safe Thanksgiving.  And remember everyone... just say "No Thanks to Koobface".

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.