The holidays will be a time for refreshing connections, both in the real world, and online. Sadly, a ZLOB variant is being used by cyber criminals in this recent predictable spin on the malware social networking scene. Users of Friendster, a social networking site hugely popular in Asia, may have recently received an email via the site’s internal messaging utility that entices them to view a video.
Figure 1. Users receiving email via Friendster may feel safe since the email arrives within the Friendster zone. However, the email links to an external site.
In this particular case, the link is a front for a quick redirection which leads the user to a fake video site. However, the user cannot view the video because he lacks an updated version of the player (in this case, what pretends to be Adobe Flash Player). The name of the site is “YuoTube”–the cybercriminals’ attempt to appear like the legitimate and popular video site, YouTube.
Figure 2. The “YuoTube” site features the purported video, but users cannot view it without installing a certain update for the video player.
Figure 3. Ubiquitously named “setup.exe” is then downloaded onto the system. It is a ZLOB variant.
Since early November we have been observing the increasing occurrence of social networking malware, whose main modus operandi is to trick users into clicking a link which will then download other malicious files. The link scores much on credibility, because it often arrives via messages sent through social networking sites’ internal messaging functionality.
The sender will often appear to be one of the user’s contacts; this increases likelihood that users will click on the link. Malware from WORM_KOOBFACE family (one of the earliest being WORM_KOOBFACE.E, and the latest being WORM_KOOBFACE.AC) specializes in propagating via social networking sites. They propagated mostly in Facebook but have been seen to expand operations to other networking sites like Hi5 and Bebo. These worms have the capacity to hurdle CAPTCHAs.
As always, users are advised to be wary of unsolicited messages. Also, only download software and software updates from the software vendor’s sites or via auto-update features (this can be specified in most programs’ settings).