Haven't blogged in a while, but as the nostalgia wears off and I settle into 2011 figured I would write up a quick post that alot of you might find benefit from. Some of you may have heard of KOOBFACE before and it looks like the infamous worm has made a return. The new campaign is spreading primarily on Facebook at this point but a jump to twitter is sure to follow in hours and days ahead. A change from it's predecessor, the new campaign is spreading via direct messages sent from compromised accounts rather than the wall posting of links as done before. Additionally this new variant uses alot of obfuscation in the links that are being sent, and they redirect the victim to a site that has the visitor install the payload via a "missing Flash plug-in"
For readers not familiar with KoobFace, some details about it as per the team at Symantec
- Originally Discovered: August 3, 2008
- W32.Koobface is a worm that spreads through social networking sites. W32.Koobface, an anagram of Facebook, is a worm that spreads primarily through social networking sites (hence the name) and uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements.
Infection
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.
The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.
Functionality
W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.
The worm is able to perform the following functions:- Spread through social networks
- Steal confidential information
- Inject advertising into web browsers
- Redirect web browsing to malicious sites
- Intercept Internet traffic
- Block access to certain Internet sites
- Start a web server to serve as a command and control server for other Koobface infections
- Download additional files, such as updates to itself and other pay-per-install software that includes fake security products
- Steal software license keys
- Break CAPTCHAs
- Determine if a link is blocked by Facebook
- Create new Blogspot accounts and pages
- Modify the Hosts file
No comments:
Post a Comment