November 10th, 2008

Koobface Facebook worm still spreading

Posted by Dancho Danchev @ 8:25 am

Categories: Botnets, Browsers, Facebook, Hackers, Malware, Passwords, Social Networking Applications, Viruses and Worms, Web 2.0

Tags: Security, Koobface, MySpace, Dancho Danchev

Originally spreading since July, the Koobface worm remains active according to a recent security alert issued by Websense :

“The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.”

Koobface continues relying primarily on already compromised Facebook accounts as the foundation for its social engineering campaigns, the passwords to which the malware campaigners obtain through a changing set of tactics. How is Facebook responding to the persistent abuse of its services, and how are the tactics of the campaigners going to evolve in the long term?

The latest campaign is taking advantage of a legitimate hosting provider in the face of Geocities as a main redirection point, but what’s particularly interesting about it is the fact that the malware dropper attempts to download more malware turning an infected host into a proxy relaying spam from another legitimate site - namely the American International Baseball Club in Vienna (aibcvienna.org), whose site seems to have been compromised. It’s also worth pointing out that compared to other malware campaigns abusing social networking sites, the campaigns targeting Facebook and MySpace users rarely take advantage of bogus accounts, but rely on legitimate ones in only so that the campaign can scale while abusing the trust between the friends.

Social engineering and the fact the average social networking site user is still living in a “do not visit links sent from unknown people” and “do not visit unknown and potentially harmful sites” world, largely ignoring the fact that compromised legitimate sites and infected social networking profiles undermine these security tips, is what malware campaigners try to excel at, but how come? Site specific vulnerabilities can indeed cause a lot of damage in a very short time frame, but the entire campaign will disappear as quickly as it appeared once the vulnerability gets fixed. Consequently, by applying the marginal thinking used by spammers sending out a million spam messages and profiting even if two people buy from them, reaching the end user next to targeting the site exclusively in order to remain beneath the radar for a bit longer, remains the (pragmatic) tactic of choice.

Facebook has been keeping track of the ongoing developments on the malware front, and has been adapting to the situation throughout the year. From warning users on the potential maliciousness of an ongoing link, to the recent CAPTCHA challenge for grey links aiming to slow down the spreading process of any campaign, these features are only the tip of the iceberg when fighting social networking malware campaigns. The rest is awareness in a trusted environment where everyone’s identity can be compromised and abused.