Koobface Worm Creates Own Malevolent Web Pages
Hackers are customizing the PC virus Koobface, which made its debut in 2008, to beat the security systems of companies hosting websites so that the malware can create web-pages of its own.
Andrew Brandt, Security Researcher at Webroot, states that with the improvement of the CAPTCHA service, Koobface can now determine if a contaminated user owns a Blogspot or Google account, as reported by Info Security on December 14, 2009.
Brandt states that if Koobface determines that the user doesn't own an account, then it would set up one automatically.
Writing on the company's blog on December 10, 2009, Brandt says that he is aware of the circulation of Google Reader pages generated by Koobface, but he hasn't seen the virus acting. So, he was fascinated to see that Koobface created a fresh account on Google on his experimental base, the researcher continues.
According to him, while setting up a Google account, Koobface downloads as well as executes four hitherto unknown programs. The first one "v2googlecheck" scans the user's browser cookies for detecting if he has a Google account. If the user doesn't have one, then Koobface uses a second program "v2newblogger" to set up one. The third program "v2cpatcha" instructs the user to enter a CAPTCHA inside what appears as a Windows login box so that the creation of account can be completed. The last program "v2reader" is used to frame the fresh web-page and to transmit the input information to the virus.
With a Google account ready, Koobface uses it for creating a malevolent Google Reader web-page on which it embeds a video link from YouTube. However, clicking on the link diverts the user to a bogus video page.
If the user hits that video or clicks on any part of that page, he gets a window that downloads a different Koobface installer called Setup.exe.
Brandt therefore suggests users to be vigilant of links connected to Google Reader web-pages. He also warns users that if anyone posts these web-links on their social network, then let other network users know that these links might be contaminated.
Related article: Koobface Worm Still Active on Facebook Through Hacked Accounts
» SPAMfighter News - 22-12-2009