Skip to main content

by Kevin M Nixon, MSA CISSP® CISM® CGEIT®  

For your protection please, read this ...

Social Networking sites (Facebook, MySpace, Bebo, LiveJournal, etc.) are under attack by a variation of the Koobface worm which began to spread in August ‘08.  This new variant, tracked as WORM_KOOBFACE.AZ has the potential of a fast infection rate.  Most importantly, after propagating itself from the infected device, the Worm remains active on the user’s computer transmitting the computer’s data, settings, control information, and system information to over 300 international collection sites.  

This worm is unlike most.  It spreads itself AND than stays on your computer, monitoring and transmiting information to International locations.  Read and pass on.

This new worm: "It isn't your Father's Oldsmobile"

Readers should search their computer protection software provider’s website and locate instructions for WORM_KOOBFACE.AZ.  Please note that this is a variation of HTML_KOOBFACE.BA.  The patches and DAT files for the HTML variant do not protect against the WORM variant!

CURRENT FIX:
No Automatic Patches currently available from Protection Vendors.  Manual counter-measures are available.

TYPE MALWARE:
Worm – Self-Spreading
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

INFECTION METHOD:
Hyperlink-Social Engineering.  

Computer user receives a message which may contain the subject line "Thiss vvideo witth you on the streeet."  User may receive the message via a "On-line Inbox" located on the social network site, or any online web-based email, smart phone/PDA, or regular email application loaded locally on the computer.

HOW IT WORKS:
The message is sent to you by someone you know.  The hyperlink in the message takes the user to a "fake site" supposedly hosting a video posted by the same "friend known to the user" in a Facebook (or other Social Network) message from.  The message not only contains the hyperlink to the "fake site", it also displays the "friends" name and photo from the Facebook profile.  A very clever little piece of social engineering.

Although the worm originates from a Facebook account from a person known to the user, the user receiving the message does not need to be a member of Facebook.  

Other origination points include but are not limited to:

facebook.com
hi5.com
friendster.com
myyearbook.com
myspace.com
bebo.com
tagged.com
netlog.com
fubar.com
livejournal.com
YouTube.com

WHAT IT DOES:
After clicking on the link, the user is redirected to an IP Address which contains the "fake social network friend page".  Upon arriving at the site, the user is prompted to update the Adobe Flash Player.  The "fake update" installs the worm on the user’s computer.  

WORM_KOOBFACE.AZ propagates through other networking sites by using "cookies" stored on the user’s computer.

The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers.

This allows hackers to execute commands on the affected machine. Currently there are over 300 International data collection sites containing this worm!

© Copyright 2009 – Kevin M. Nixon – All Rights Reserved  
This article may be reprinted in whole or in part only with proper attribution to the author.

See the Information Security Resources for related information.

Originally posted to Mr Sandman on Tue Mar 03, 2009 at 12:41 PM PST.

Poll

Was This Information Helpful and Understandable?

11%12 votes
25%27 votes
16%17 votes
2%3 votes
4%5 votes
38%40 votes

| 104 votes | Vote | Results

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site