Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    6:23 pm (UTC-7)   |    by

    Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

    The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.

    Figure 1. Twitter account of an infected PC

    The supossed tweets are retrieved from a Koobface C&C domain and use to shorten and kind of obfuscate the URL included in the message.

    Figure 2. Network stream of an affected PC

    Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.

    Figure 3. Fake YouTube page that installs setup.exe

    As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

    Related posts on Koobface:

    Twitter, likewise, was never that safe from attacks:

    Update on June 28:

    Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

    Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

    Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice