Sunday, February 7, 2010
Social Networks: SOS
Don’t chat with worms as you would do with your friend
As some of the fastest-growing communities in the cyberspace, social networks are also the favorite playground for malware distributors. One of the most targeted networks of its kind is Facebook, the keeper of a huge database of personal information acting like a magnet to cyber-criminals.
The infamous Koobface worm made a comeback as Win32.Worm.Koobface.AOJ. Once installed on the local machine, the worm looks for cookies belonging to well-known social networks, such as Facebook®, Twitter®, Hi5TM, Friendster® and MySpaceTM, among others. However, there's more in Koobface than the eye meets: each new iteration of the worm brings additional surprises to build on its previous features: CAPTCHA breakers, locally-installed HTTP servers, keylogger and ftp file uploader components, as well as a rogue DNS changer and an advertisement pusher.
In order to spread from one infected account to another, Win32.Worm.Koobface.AOJ sends messages on the behalf of the compromised users to all their friends. Since Facebook® is extremely restrictive with large numbers of messages originating from the same account in a short time span, the worm forces the infected user to solve the CAPTCHA dialog for it. After the CAPTCHA has been successfully "defeated", it would post a link to a fake YoutubeTM video concealed with a URL shortening service (usually bit.ly). Unwary users clicking on the malicious link will subsequently asked to install a codec, which ultimately turns out to be the very downloader that drops, installs and "configures" the Koobface worm.
The Koobface family is one of the most advanced e-threats related to social networks. Its ability to compromise a large choice of social networks and its extremely advanced infection mechanisms makes it the ultimate war machine ready to siege your social network accounts.