Facebook we have a problem

Koobface, and other worms target Facebook Friends

by Michael Smith

London, March 7, 2009: As Facebook works to make itself more relevant and timely for its growing member base with a profile page makeover, attackers seem to be working overtime to steal the identities of the friends, fans and brands that connect though the social-networking site.

Indeed, Facebook has seen five different security threats in the past week alone. According to Trend Micro, four new hoax applications are attempting to trick members into divulging their usernames and passwords. Also, a new variant of the Koobface worm is running wild on the site, installing malware on the computers of victims who click on a link to a fake YouTube video.

The Koobface worm very is dangerous. It can be dropped by other malware and downloaded unknowingly by a user when visiting malicious Web sites, Trend Micro reports. When attackers execute the malware, it searches for cookies created by online social networks. The latest variant is targeting Facebook, but earlier variants have also plagued MySpace.

Once Koobface finds the social-networking cookies, it makes a DNS query to check IP addresses that correspond to remote domains. Trend Micro explains that those servers can send and receive information about the affected machine. Once connected, the malicious user can remotely perform commands on the victim's machine.

According to Trend Micro once cookies related to the monitored social-networking Web sites are located, it connects to these Web sites using the user log-in session stored in the cookies. It then navigates through pages to search for the user's friends. If a friend has been located, it sends an HTTP POST request to the server.

Ultimately, the worm's agenda is to transform the victim's computer into a zombie and form botnets for malicious purposes. Koobface attempts to do this by composing a message and sending it to the user's friends. The message contains a link to a Web site where a copy of the worm can be downloaded by unsuspecting friends. And the cycle repeats itself.

Malware authors are investing more energy in Facebook and other social-networking sites because that effort pays off, according to Michael Argast, a security analyst at Sophos. Facebook alone has more than 175 million users, which makes it an attractive target.

"Many computer users have been conditioned not to open an attachment from an e-mail or click a link found within, but won't think twice about checking out a supposedly hot new video linked to by a trusted friend on Facebook," Argast said.

Argast called the Koobface worm a mix of something old and something new. The new is using social networks as a method to spread malware. The old is using fake codec Trojans linked to a saucy video to induce the user to install the malware.

Argast said people can protect themselves by running up-to-date antivirus software, restricting which Facebook applications they install, thinking twice before clicking on links from friends and never, never installing a codec from some random Web site in the hopes of catching some celebrity in a compromised situation.

"I would expect to see more attacks on Facebook," Argast said. "As long as this is a successful propagation method, the bad guys will double down and invest more. They are entirely motivated by financial gain. If it pays, they'll continue to romp in your social playgrounds."

This advice is the same and the rules should be the same as to the emails that arrive claiming that here or there one can have a look at this or that celebrity or whatever in compromised positions or such.

I personally must say that I never understand why people have this desire to believe that there are such videos about even and that they are worth taking a look at.

However, as we all know, people being people they have this strange drive and they will do just that and that is what the malware writers exploit.

As Michael Argast from Sophos says, have proper up-to-date anti-virus – and remember that you protection is only as good as your latest update, whenever that may have been – and also, and this is my advice, run other good protection software such as PC Tools ThreatFire and such like.

None of such protection has to cost you anything as for the private personal user you can get most of the stuff free. So there is no excuse not to have a fully protected PC or Laptop.

One note, on the side: those worms and Trojans and viruses are dangerous and some more dangerous than others; Koobface worm is very dangerous but not because, as some people might believe, it destroys hard drives or such – those viruses are (mostly) gone nowadays – but because it is a piece of code that ultimately turns the infected PC into a zombie on a botnet.

© M Smith (Veshengro), 2009
<>