Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, December 3, 2009

Koobface using new tricks to infect this holiday season

The criminals behind Koobface are gearing up for some malicious holiday fun according to reports from Websense and McAfee. The Malware, which has been seen online in various formats for a while now, is using Google Reader to spread itself and offers a few other tricks this time around.

First detected in December last year (with a more powerful version emerging in March of this year), the Koobface worm targets users of social networking sites like Facebook, MySpace, Twitter and most recently Skype. In recent days the security industry has noted increased activity of the Koobface attack, which spreads by delivering messages to people who are ‘friends’ of social network users whose computers have already been infected by the worm.

McAfee is warning about a version of a Koobface run that mirrors the report from Websense that The Tech Herald received recently. Both vendors are seeing attacks from the Malware that linkup to a “video” of a cute little baby dressed up as Santa. The tiny tike has no idea his image is being used to spread Malware, but anyone who attempts to load the video (named SantA in some cases) is sent a message that they need to load a codec to play the movie. However, as in previous Koobface attacks, the codec is malicious and does nothing but infect the system.

Moreover, McAfee notes that some of the attacks will push users to another site when they attempt to watch the movie when it appears in Google Reader as a link. This secondary site is made up to look like a Facebook page that ironically warns users about Koobface and offers a link to download a virus scanner. This scanner is the Malware delivery method, and once downloaded and installed, more malicious files are sent to the infected system.

In addition to the false Facebook page, McAfee noted that infected users will be lured into cracking CAPTCHA codes so that those behind Koobface can register more junk Facebook profiles. The CAPTCHA trick will appear as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.

In the past, The Tech Herald has talked about malicious wall posts on Facebook thanks to Koobface, and this latest wave of attacks appears to us to be an attempt to further the reach of those posts. More information on those attacks can be accessed here.

Websense, adding to the attack information, reports that there is a Social Engineering tactic being used, where the periods in the malicious URL are replaced by commas. Speculating, Websense said that the commas are used in the hope that the user will copy and paste the URL into their browser and replace them with the correct character, thinking that the friend who sent them made a mistake when entering the URL information.

Both vendors expressed the need for users to use caution when they see random Facebook wall posts, and that they should not download files from untrusted sources. In addition to that advice, we’ve noticed that some of the false video pages misspell the “You” in YouTube, which is a clear sign something is wrong, aside from the fact the video isn’t being hosted on YouTube itself.

And of course, if you haven't already, you should consider putting a proxy into your network to help protect end-users from malware and spyware.

No comments: