The Koobface botnet has pushed out a new component that automates the following routines:

• Registering a Facebook account
• Confirming an email address in Gmail to activate the registered Facebook account
• Joining random Facebook groups
• Adding Facebook friends
• Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

This component fetches details from one of the botnet’s available proxy domains.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.

For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages:

• http://www.facebook.com/safety
• http://www.facebook.com/security

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter.

The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URLs are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all-too-familiar fake YouTube page that hosts the Koobface downloader component.

Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view these pages as they are shared with the public. Sharing any Google Reader page publicly is easy as anyone can click on the share icon in his or her Reader page and the content will appear on his or her public page. 

This ability to share content with the public was abused by cybercriminals to use the Google Reader domain to spam malicious links.

We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack. The spam URLs hosted through these accounts are now blocked.

Trend Micro security experts received email messages that supposedly came from Facebook. It asks recipients to update their login credentials for security purposes. It then instructs them to click the URL provided in the email message. When the user clicks the URL, it points them to a spoofed Facebook website where they are required to input their password only as their email address has been automatically filled up.

 
Once the users hit the “Login” button, it will redirect them to another fraudulent page where a link to download a suspicious update tool file is provided. Trend Micro detects this as TROJ_ZBOT.CDX.

As of this writing, the phishing URL as well as the malicious file has been blocked and detected already via the Trend Micro Smart Protection Network.

This is a great example showing just how cunning cybercriminals can be just to steal precious information. They even claimed to offer recipients security, which is really ironic. Not everyone though may be as hard to fool as, say, security experts. So how can you tell if your personal information is being phished? Here are some useful tips:

• Check the email’s content. Misspellings and grammatical mistakes are very common in spammed messages.
• Do not click embedded links. If you need to update your login credentials, go to the site’s homepage and log in from there.
• Check the URL in the message body. A legitimate Facebook link will not continue beyond .com as in the two bogus email messages.
• Check the time stamps. Facebook has millions of users worldwide so it really is very unlikely that the site’s administrator will send out email messages to all users within the same day.
• Check the sender’s email address. A legitimate Facebook email sender will have a facebook.com and not a facebookmail.com address.

Don’t be just another victim. Keep in mind that cybercriminals will do just about anything to fool those who let their guards down.

Additional text by Det Caraig

Anyone who has ever played a video game—whether in an arcade, using a gaming console, or on a PC—knows how a good kill can get one all excited and pumped up. Games that involve killing certain entities give us the thrill of being in such an exhilarating situation, without suffering any serious consequence. A certain Mac OS X game called Lose/Lose has been getting attention for its rather controversial effects.

The game, created by Zach Gage, somewhat resembles the format of the popular game Space Invaders, wherein the player is represented by a spacecraft and the goal is to kill the aliens placed all over the screen. Gage’s game, however, has a different twist, which has been causing quite a stir.

The new twist in Lose/Lose is that the aliens in the game—the ones that the player must kill to stay in the game—represent random files in the user’s system. Whenever the user kills an alien, the file the alien represents is deleted. Should the user refuse to kill the aliens, he/she will lose and the game itself will be deleted.

This interesting consequence of the game is clearly stated in Gage’s website where the game can be downloaded.

Gage describes his creation as a means to answer the question: “Why do we assume that because we are given a weapon and awarded for using it, that doing so is right?” Curious intentions or not, however, the game presents high risks and may be very easily abused. A user who may have acquired the file without knowing its effects may end up with a large number of deleted critical files.

The file has thus been classified as a malware and is now detected as OSX_LOSEGAM.A. The game tests the users’ killer instinct: the user is placed in a situation where he/she is handed a weapon and told that his/her survival depends on his/her ability to kill his/her prey. This usage of natural human reactions to trigger certain actions may be a form of research to some but what we see it as is this: a social engineering technique.

Mac users can get protection from this and other threats by using the Trend Micro Smart Surfing for Mac.

Worm Exploits MS08-067 Bug

DOWNAD, also known as the Conficker worm, was first seen in the wild taking advantage of the MS08-067 vulnerability. True to form, it propagated via shared networks. Like its predecesors—the Sasser and Nimda worms—it also raised security concerns with regard to a spike in port 445 activity.

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.