Mar1	New Variant of Koobface Worm Spreading on Facebook 1:10 pm (UTC-7)   |    by Rik Ferguson

Tweet

Watch a CNN segment where Rik Ferguson briefly talks about this threat attack

I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure.

Figure 1. Fake Facebook message

What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”.

Figure 2. Fake YouTube website

Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.

Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well. It first searches for cookies created by the following sites:

• facebook.com
• hi5.com
• friendster.com
• myyearbook.com
• myspace.com
• bebo.com
• tagged.com
• netlog.com
• fubar.com
• livejournal.com

The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.

Users of the Trend Micro Smart Protection Network are protected from this threat, as both URL and malicious file are blocked and detected, respectively. Other users are advised to ignore such messages, and refrain from clicking links in unsolicited messages, even out of curiosity.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Share this article

This entry was posted on Sunday, March 1st, 2009 at 1:10 pm and is filed under Bad Sites, Malware . Both comments and pings are currently closed.

108 Responses to “New Variant of Koobface Worm Spreading on Facebook”

1. Jim Vincent Says:
   August 23rd, 2009 at 7:56 pm

   I just got this worm from Facebook – 8/22 or 8/23/09. It is spreading rapidly. I believe McAffee removed it — but not until it had sent messages to other Facebook users.

Trackbacks

1. Latest Antivirus Updates » New Variant of Koobface Worm Spreading on Facebook
2. djinoz (djinoz)
3. crochetdg (Diane Giarrusso)
4. KKrebs (KKrebs)
5. Facebook Hit With Another Worm - Computer Forums
6. Be Vigilant: Two Worms to Watch Out For « SiliconAngle
7. ARCIS Fraud Discovery & Exposure Centre » Facebook faced with new Koobface worm
8. CiscoSecurity (CiscoSecurity)
9. rogersjeffrey (Jeffrey M. Rogers)
10. rogersjeffrey (Jeffrey M. Rogers)
11. mashable (Pete Cashmore)
12. realtweet (Dennis Kuntz)
13. kdc (keidra)
14. timbrauhn (timbrauhn)
15. jd_s (jd_s)
16. joelontheradio (Joel R)
17. newssky (newssky)
18. newssky (newssky)
19. geogeller (geogeller)
20. sumbonet (数字中国)
21. sumbonet (数字中国)
22. geogeller (geogeller)
23. shaton (Mike Steele)
24. shaton (Mike Steele)
25. coryshubert (coryshubert)
26. coryshubert (coryshubert)
27. ProgGrrl (ProgGrrl)
28. freewillgriffin (freewillgriffin)
29. devorahf (devorahf)
30. emor8t (Eric Moretti)
31. karyva (karyva)
32. elmdea (Elmdea Bean)
33. knitnrun (Melissa)
34. lisanealshaw (lisanealshaw)
35. pharmstudent (Joshua Hollingsworth)
36. ms_mela (Mela)
37. lioness823 (Lady Lion)
38. spidercat (Julie D'Aloiso)
39. sdoig (Steve Doig)
40. Elnerdodegeek (Elnerdodegeek)
41. jessnuss (jessnuss)
42. davidlingholm (davidlingholm)
43. MaLindaLou (Malinda)
44. RetiredTeacherD (David A Black)
45. jeffreyhaas (Jeff Haas)
46. artqwu (Art Wu)
47. dekal13 (dekal13)
48. Julio_Valentim (Julio Valentim)
49. momcginn (Molly McGinn)
50. Mistyjomc (Misty )
51. daxvelando (antipatiko)
52. jbc95a (Josh Copeland)
53. raavi (Mihalcea Razvan)
54. feedia (John Anthony Hartman)
55. DizzyDezzi (DizzyDezzi)
56. JeanneBernish (JeanneBernish)
57. rrhobbs (R. Richard Hobbs)
58. Blight Watch » Blog Archive » New Koobface Worm Spreading On Social Networking Sites
59. mschmulen (Mark Schmulen)
60. BrianDeagon (briandeagon)
61. BrianDeagon (briandeagon)
62. geoffpfeil (geoffpfeil)
63. chanc (Christopher Chan)
64. darthseeder (darthseeder)
65. ReachingMyDream (ReachingMyDreams )
66. mbamaung (Mary Harper)
67. Variante del Gusano Koobface Ataca Facebook, Otras Redes Sociales Tambien son Objetivos
68. Facebook Worm “Koobface” Morphs Into New Form
69. Facebook Worm
70. staronline (TheStar MY)
71. hatdragon (hatdragon)
72. cocoamedia (Dave Fowler)
73. Vuelve Koobface con nueva cara, el gusano transmitido por Facebook y otras redes sociales | SwordFishCode
74. gilzow (gilzow)
75. Adobe pdf flaw needs to be fixed! | PHILIPHALL.COM : Security Junkie
76. ldlow (Lisa DuBois Low)
77. arunsub (Arun Subramanian)
78. jhm555 (Joyce Mears)
79. TrafikDesign (trafik design)
80. TrafikDesign (trafik design)
81. janicebee (janice belyea)
82. New Variant of Koobface Worm Spreading | Malware Blog | Trend Micro | thepostingsecrets
83. BizFractals » Blog Archive » Facebook fights another rogue app
84. Facebook worm comes from infected friends | Smartsutra.com
85. MetroAccessNet (MetroAccess.Net)
86. MetroAccessNet (MetroAccess.Net)
87. Beware Of The “Koobface” Worm On Facebook — Travel Insurance, Travel And Better Living Tips
88. Facebook Worm 2.0 « Digital Business News
89. redslater (Brian Slater)
90. jeana900 (Beryl Payton)
91. Massima attenzione a Koobface, il worm che minaccia Facebook - Sito e Blog ufficiali di Rosati Luca
92. mjksec (Martin Knight)
93. Computer Virus Attacks PCs Through Facebook | Teen Checkup | Internet Safety
94. Virus Targets Facebook Friends - Dialogmix
95. Facebook Watcher » Warning: New Koobface Worm Spreading on Facebook
96. Worm Koobface, nuova minaccia per gli uenti di FaceBook | Blog Info 360 - Il Blog a 360°
97. The Linux Mint Blog » Blog Archive » The Mint Newsletter - issue 78
98. Can You Imagine the Web in 20 Years? | WORDPRESS EXTENSIONS-PLUGINS-THEMES-TEMPLATES
99. SitePoint » Can You Imagine the Web in 20 Years?
100. Koobface Worm on the loose again…
101. Koobface: Un worm minaccia Facebook! e non solo. |
102. newpathforlife (Elaine Lockard)
103. New KOOBFACE Upgrade Makes It Takedown-Proof | Trend Micro | Malware Blog
104. Koobface breaks into facebook, again!
105. Koobface: Un worm minaccia Facebook! e non solo - Uploads Blog
106. Bogus Facebook, Malware, and a Dancing Girl | Malware Blog | Trend Micro
107. bsarich (Brennan Sarich)