Social networkers, you’ve been reclassified. You’re now sitting ducks, neatly corralled by the millions with six degrees of separation or less, and the infamous Koobface new and improved is using your friend as both decoy and digital bird flu carrier.
Reportedly the fourth rogue app to hit Facebook in a week, the new variant of the Koobface worm that once before terrorized the network poses as a social network friend, profile photo and all, and sends a message with a link to a video. The message claims the recipient is in the video.
The link leads to a spoofed YouTube page, complete with video responses and comments listed beneath an unplayable video. A message on the video screen prompts the user to download the latest Adobe Flash Player, which is actually an installation of setup.exe, which is actually WORM_KOOBFACE.AZ, hosted at over 300 IP addresses, all of them hosting the file as HTML_KOOBFACE.BA.
Security researcher Rik Ferguson at Trend Micro discovered and revealed the new variant, which targets not only Facebook, but Hi5, Friendster, MyYearBook, MySpace, Bebo, Tagged, Netlog, Fubar, and LiveJournal.
“The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.”
The sophistication and social engineering of the worm is pretty disturbing. Consider the line of trust barriers it breaks by impersonating trusted sources: a social networker’s personal network on trusted social network, YouTube, and Adobe. In recent weeks we’ve also seen similar attacks on, involving, or spoofing users of URL shorteners, Twitter, Digg.com, and many Google services, including Gmail, Gtalk, Google Trends, and Google search results themselves.
Good antivirus programs should help detect and prevent installs, but also be wary of spoofed sites and fishy download prompts in the first place. If prompted to download Adobe Flash (and you don’t already have it), for example, go to Adobe’s website directly by manually keying it in and download from the official site.
