New Version of Koobface Virus Targeting Twitter

Researchers at Kaspersky, an Internet security company, are warning of a newly detected Koobface variant targeting the micro-blogging site Twitter. While the bait continues to be the same as before, the social engineering tactic used in the messages has been made better so that they sound more credible.

Koobface is the earliest and a very effective social networking virus. At first, it was used against MySpace, but its new versions targeted Bebo, Facebook, Tagged, Hi5, Friendster, and recently Twitter.

Stefan Tanase, Senior security investigator at Kaspersky Labs, has stated that the social engineering technique has been given a new twist, with web-links in the virus-laced e-mails taking users to an extremely well crafted page that looks same as Facebook.

The virus proliferates through stolen accounts that it uses to send spam mails apparently carrying video links. Clicking on these links will lead unwitting surfers to a website that shows a phony video but in reality it is only a picture. Any attempt of watching the video will also lead to the loading of the virus that pretends to be an update for Flash Player or an important codec.

Moreover, Koobface is presently dispatching different tweets whereas the tweets in the earlier attacks were identical. The present tweets have a random element, with words such as "WOW," "W.O.W," "HA-HA-HA!!" "LOL," "L.O.L" or "OMFG!!" appearing below every message.

Spammers are further introducing an element to the Koobface linked page; as a result the URL now becomes shorter to a new bit.ly URL. This creates difficulty for Twitter to isolate infected tweets or to delete them.

in early August 2009, there was widespread discussion on how Twitter began using Google's Safebrowsing API to filter tweets carrying harmful URLs. Researchers state that the practice will certainly prevent some attacks, but the ongoing attack demonstrates that the problem will not be completely eradicated although it is surely one step ahead.

According to the researchers, they recognized the malevolent payload as Net-Worm.Win32.Koobface.d as well as the script, which redirects to the phony page, as Trojan-Clicker.HTML.IFrame.ob. Moreover, nearly 100 separate IP addresses supporting Koobface were also spotted.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 8/26/2009