July 7th, 2009

Koobface worm joins the Twittersphere

Posted by Dancho Danchev @ 2:00 pm

Categories: Anti Virus, Botnets, Browsers, Facebook, Hackers, Malware, Passwords, Social Networking Applications, Web 2.0

Tags: Worm, Twitter, Koobface, Cyberthreats, Viruses And Worms, Security, Dancho Danchev

Cybercriminals are experimenting with a new feature introduced in one of the latest Koobface variants - the ability of the worm to hijack the Twitter accounts of infected users and post tweets in an attempt to infect their followers.

According to researchers from TrendMicro, once the infected user attempts to log into Twitter, Koobface hijacks the session and posts a tweet on behalf of the user.

Would this novel feature allow the worm to spread even more efficiently? It largely depends on whether or not they’d remove the beta label from it, and go mainstream with the feature.

For the time being, the pre-defined set of messages include the following: My home video :); michaeljackson’ testament on youtube and Watch my new private video! LOL :). Interestingly, upon obtaining real-time statistics from their experimental Twitter campaign, the results show close to a hundred users that came to their bogus video serving (W32.Koobface.A) site through Twitter.

Compared to the automatic spreading of the worm across Facebook where the process of the CAPTCHA challenge recognition was outsourced, in Twitter’s case the lack of reliable use registration process or any sort of CAPTCHA challenge, makes the abuse of the micro-blogging service incredibly easy to accomplish.

Has the worm’s growth rate changed over the past month? According to recently released statistics from Kaspersky Labs, June was the most active month for the Koobface gang in terms of the number of samples generated — 324 Koobface variants at the end of May 2009, to almost 1000 by the end of June 2009 — a tactic used to increase the average time of their campaigns until they get intercepted. Earlier this year, PandaLabs confirmed the growth rate once again indicating the group’s commitment.

For the time being, Koobface remains one of the most active social networking worms spreading across Facebook, Tagged, Friendster, MySpace, MyYearBook, Fubar.com, Hi5 and Bebo since 2008, and despite the variety of new features, the worm continues relying on social engineering tactics in order to spread.