A new KOOBFACE variant is again making the rounds in the social networking scene. According to Trend Micro advanced threats researcher Norman Ingal, the malware employs Facebook’s Private Message feature to proliferate.

The threat arrives as a Facebook private message that does not bear a subject but contains a supposed link to a YouTube video. Taking a closer look at the link, however, indicates that it is not an authentic YouTube link as in previous attacks.

Users who are tricked into clicking the link are redirected to other pages until they finally end up at a spoofed YouTube site called YuoTube.

Similar to previously featured KOOBFACE-related attacks, users were asked to install a rouge software to play the said video, an Adobe Flash Player file, which in reality, is a worm detected by Trend Micro as WORM_KOOBFACE.IT.

WORM_KOOBFACE.IT is notable for several reasons:

• It connects to specific malicious sites to receive commands and executes these on affected systems.
• It connects to malicioius sites and downloads other malware, namely, TROJ_AGENTT.EA and WORM_KOOBFCE.SMM.
• It searches for social-networking-related cookies and connects to these using saved login sessions. It then navigates through users’ pages to search for their friends. Once found, it sends an HTTP POST request to a remote server, which then replies with data containing the actual message that the worm will then spread.

Users are advised to think twice before clicking embedded links in messages. Double-checking the legitimacy of URLs also help. For more information on how to stay safe in social networking sites, please refer to Trend Micro’s “Security Guide to Social Networks.”

Trend Micro™ Smart Protection Network™ protects product users by blocking access to malicious sites via the Web reputation service. It also detects and deletes malicious files such as WORM_KOOBFACE.IT, TROJ_AGENTT.EA, and WORM_KOOBFACE.SMM via the file reputation service.

Non-Trend Micro product users can also stay safe from similar threats by using free tools such as Web Protection Add-On, which blocks access attempts to potentially malicious websites in real-time.

Phishing and its effects, namely, identity fraud, continue to grow. Unfortunately, it is now easier than ever to carry out these kinds of attacks.

Cybercriminals are now using a new tool known as Super Phisher (detected by Trend Micro as HKTL_SUPERPHISER) has been released, which creates a phishing page from a legitimate website.

The tool creates all the files necessary for the phishing page such as an .HTML file that contains the actual page and a .PHP file that steals information and saves the stolen data to a .TXT file. In the screenshot below, note how the HTML page’s code refers to the local .PHP file and not the legitimate site (in this case, Yahoo!).

A would-be phisher then takes all the files and uploads these to a website under his/her control. This site could be a malicious, compromised, or even a free Web host that the phisher is abusing. It is then up to the phisher to lure users to the site he/she created.

While this tool allows cybercriminals to create phishing pages with greater ease and less time, thus producing more timely attacks, as needed, users can still take steps to protect themselves.

While the pages created by this phishing tool look identical to the legitimate site, it does not contain any code that obfuscates or manipulates the URL as seen in the user’s browser. While the phishing pages appear to be completely legitimate, the URLs they are hosted in do not.

To guard against threats like these, users must always be careful about the sites they enter personal information into. They must check that the site not only look legitimate but is also located in a legitimate URL. While cybercriminals may attempt to register domains with similar appearances, careful users should still be able between authentic and possibly malicious sites.

Trend Micro™ Smart Protection Network™ detects malware such as HKTL_SUPERPHISER using the file reputation service and protects users from accessing malicious sites via the Web reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which is designed to block access to possible malicious websites in real-time.

Google recently announced its latest service Google Buzz, which is considered as the company’s first step in entering the social networking scene. Naturally, hordes of Internet users became interested in the new application. But such buzz also gained unwanted attention from cybercriminals who already used the service to spread a malware detected by Trend Micro as WORM_PROLACO.AA.

The worm terminates the MCAGENT.EXE process if found running on users’ systems. It also drops another malicious file detected as WORM_SPYBOT.MCS, which exhibits backdoor routines and terminates specific processes.

WORM_PROLACO.AA also poses even greater danger to Mozilla Firefox browser users, as it installs a Firefox extension and Firefox Security 2.0 by creating specific files on affected systems. These extensions check the browser’s address bar for specific strings related to googlesearchserver, search, google.com, yahoo.com, bing.com, ask.com, and aol.com/aol/search?s_it. If found, the malware loads a page that triggers the display of ads on search results pages. The worm further spreads by sending email messages to target addresses that it gathers from affected systems. It also drops copies of itself in shared peer-to-peer (P2P) sharing folders.

Trend Micro product users need not worry, however, as Smart Protection Network™ blocks user access to malicious sites related to the pop-up ads via the Web reputation service and detects and deletes all related malware via the file reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.