A new KOOBFACE variant is again making the rounds in the social networking scene. According to Trend Micro advanced threats researcher Norman Ingal, the malware employs Facebook’s Private Message feature to proliferate.
The threat arrives as a Facebook private message that does not bear a subject but contains a supposed link to a YouTube video. Taking a closer look at the link, however, indicates that it is not an authentic YouTube link as in previous attacks.
Users who are tricked into clicking the link are redirected to other pages until they finally end up at a spoofed YouTube site called YuoTube.
Similar to previously featured KOOBFACE-related attacks, users were asked to install a rouge software to play the said video, an Adobe Flash Player file, which in reality, is a worm detected by Trend Micro as WORM_KOOBFACE.IT.
WORM_KOOBFACE.IT is notable for several reasons:
- It connects to specific malicious sites to receive commands and executes these on affected systems.
- It connects to malicioius sites and downloads other malware, namely, TROJ_AGENTT.EA and WORM_KOOBFCE.SMM.
- It searches for social-networking-related cookies and connects to these using saved login sessions. It then navigates through users’ pages to search for their friends. Once found, it sends an HTTP POST request to a remote server, which then replies with data containing the actual message that the worm will then spread.
Users are advised to think twice before clicking embedded links in messages. Double-checking the legitimacy of URLs also help. For more information on how to stay safe in social networking sites, please refer to Trend Micro’s “Security Guide to Social Networks.”
Trend Micro™ Smart Protection Network™ protects product users by blocking access to malicious sites via the Web reputation service. It also detects and deletes malicious files such as WORM_KOOBFACE.IT, TROJ_AGENTT.EA, and WORM_KOOBFACE.SMM via the file reputation service.
Non-Trend Micro product users can also stay safe from similar threats by using free tools such as Web Protection Add-On, which blocks access attempts to potentially malicious websites in real-time.