Massive New Koobface Campaign

Our colleagues in ESET Latin-America have reported that a huge new malware distribution campaign is being carried out through the popular social network Facebook. In this instance, it is our old friend the Koobface worm that is being propagated. (For more about Koobface see Randy's post here, and for more about this particular iteration, see the update here.)

Many thanks to Cristian Borghello, Jorge Mieres and Sebastián Bortnik for all the information.
Any errors in translation or interpretation are mine!

The Latin-American team published a comprehensive report on this issue some time ago, called "“Utilizando redes sociales para propagar malware“ (“Using social networks to propagate malware“). .Unsurprisingly, it's in Spanish: see http://www.eset-la.com/centro-amenazas/2034-utilizando-redes-sociales-propagar-malware

In this particular campaign, the worm spreads across social networks by way of messages claiming to be about hidden cameras showing erotic encounters via an Internet connection.  The message is sent from the infected machine to each of the owner's contacts and the link redirects to Web sites called “Video posted by … Hidden Camera …”. A pop-up at this site tells the user that he needs to download what is supposed to be a video codec, in order to look at the video.

 

As you can guess, the offered file isn't any sort of Flash codec, but the Koobface executable. If the user downloads and runs it, his system will become infected. The next screenshot shows how ESET Smart Security detects the attack when the intended victim tries to download the file.

 

A notable feature of this particular attack is that the malicious download only works the first time the victim accesses the site. Subsequent attempts generate what looks like a 404 error (Page Not Found). Attackers do this to hamper the work of security researchers, so that it becomes more difficult to analyse subsequent differing versions of the malicious code.

All the domain names seen to date are in the format http://[IP address]:[port]/[random numbers and letters]/. The screenshot shows one of these addresses:

hXXp:// [DELETED].169.144.218:167/62f469a63f1a/.

As of this time, the Laboratory in Latin America has found and analyzed over 100 IP addresses where users whose systems are already affected are responsible for the spread of this malware. It is very important to prevent infection, not only because of the risk to your own system but because of the risk to others. Don't trust any messages of this type that turn up in social network messaging services like Facebook. Be on the lookout for deceptive social engineering and keep your antivirus software properly updated.

Research continues!

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.org/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.org
http://smallbluegreenblog.wordpress.com/

Author David Harley, ESET

  • Johan

    Great Great! More posts like this David :)

  • sl33py_hack3r

    I must say that you people (any computer user) need to be aware and take steps to protect yourself. This is not 1999 dial up and look at porn for fun days. Almost any freebies are tainted in one way or another. You need to think, because this web is so so so unsafe. You can safely surf if you just educate yourself and that does not mean read an artice or something lame like that. You need to know what your doing when you hit that button and click that link you need to be aware of anything that might take place as part of that action which I will tell you there are many. Emails are the most unsafe because you trust them too much and ask yourself why you place all your financial security in one click. Do you want to give your house away with one click people? Think about it like this. The internet is one big network ok. You have a private network at home and if someone gets on they can do what ever they want with little knowledge. When you connect to the internet you now have the risk of sharing information with 2 billion people. Im telling you its that easy. Any message you send can be looked at in  context. Alright i hope your scared and do something about it because there is one more thing you should know. You cell phones are all hooked into this network in one way or another and they are not safe. Just think about it people. I got kids and family that I see risk so much everyday because they just dont know and are not aware. Its like watching you guys juggle gernades. Its not if its when you drop it its over peeps. Dont take my word for it i'm from the streets and dont know s**t right. i would love to see alot of you rich people get knocked over oh man that would be juicy but look I got a love for people and heres a fair warning along with all the others you dont listen too. I probally got the same worm as ya'll and dont even know.. Its that bad

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
07 Apr 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.