Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.
The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.
Figure 1. Twitter account of an infected PC
The supossed tweets are retrieved from a Koobface C&C domain and use Tinyurl.com to shorten and kind of obfuscate the URL included in the message.
Figure 2. Network stream of an affected PC
Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.
Figure 3. Fake YouTube page that installs setup.exe
As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.
Related posts on Koobface:
- Koobface Worm Alive and Wriggling
- Koobface Tries Captcha-Breaking
- Bogus Facebook Malware and a Dancing Girl
Twitter, likewise, was never that safe from attacks:
- Another Sex Tape, Another Malware Attack
- Wholsesale Redirects to Malware Averted For Now
- Iran Street Protests Paralleled by DDoS Attacks
Update on June 28:
Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.
Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.
Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.