The Koobface botnet has pushed out a new component that automates the following routines:
- Registering a Facebook account
- Confirming an email address in Gmail to activate the registered Facebook account
- Joining random Facebook groups
- Adding Facebook friends
- Posting messages to Facebook friends’ walls
Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.
Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.
This component fetches details from one of the botnet’s available proxy domains.
The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.
Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.
For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: