Koobface Worm Propagating via Thousands of IPs
Internet security company 'Symantec' had recently conducted a study and published it on August 25, 2009. The research suggests that cyber crooks responsible for Koobface aren't yet considering a retreat.
The research, which spanned for three weeks under the guidance of Marco Cova (a Ph.D student and recipient of the Graduate Fellowship from Symantec Research Labs), reveals that Koobface created 17,170 distinct Internet Protocol addresses that use social engineering tricks to install the DNS-changing/information-stealing malware on users' computers, as reported by SCMagazine on September 1, 2009.
Explaining the Koobface criminals' method of operation and its effectiveness, Cova stated that while takedown requests had actively targeted the main Web server, the Koobface criminals had been fast in substituting blacklisted IPs and suspended domain names with freshly registered ones.
As per the research, Koobface's most common activity is to hijack computers accessing social-networking websites such as Facebook, Twitter and MySpace. Kaspersky Lab reports that at the end of June 2009, the total number of Koobface variants was almost 1,000, significantly up from 109 at the start of 2009.
Meanwhile, researchers at Symantec spotted 11,337 malevolent blogs that diverted visitors to pages that hosted the virus. Users who accessed the blogs, which were mechanically created on the Blogspot platform of Google, promoted through malicious Search Engine Optimization (SEO) techniques.
Additionally, researchers at the University of Alabama (Birmingham) conducted an analysis of the virus and found that the most recently detected Koobface variant related to a domain name, which started with an exclamation and ended with briankrebs.com. Thus, the researchers caution that any user finding this web domain should avoid the site since there is a possibility of getting infection from the malicious software.
Further, PandaLabs detected around 60 active domains that disseminated Koobface by sending a typical e-mail that apparently offered a web-link connecting to a Facebook delivered "CooooL Video." Clearly, when a user follows the link, he is deceptively taken to a server under the control of the virus.
Cova stated that even though Koobface had been detected over a year back, its purveyors continued to update their infrastructure, discovering fresh channels of the virus' propagation and exploiting more and more victims.
Related article: Koobface Worm Still Active on Facebook Through Hacked Accounts
» SPAMfighter News - 19-09-2009