Spike in URLs Spreading Koobface Malware
Researchers at the security firm 'McAfee Labs' have observed a major spike in URLs propagating Koobface malware.
The Koobface worm is very well known for attacking the users of social networking websites such as Facebook, Twitter. Besides, it has been one of the most prominent threats to Facebook since 2008.
The worm sends fake comments and messages to the user's friends and redirects them to a malicious Website. Afterwards, it attempts to steal log-in credentials of the user and repeats the same pattern to infect new users.
Like most of the threats, Koobface has also transformed over the time, with add-ons and modifications in the payloads. However, Koobface still holds its capability to spread and propagate from one system to the other. In fact, Koobface has diverse applications, sometimes it installs password stealing malware in the background and other times prompts users to enter CAPTCHAs.
The recent Koobface campaign propagates by tricking Facebook users into downloading and running links with the URL format as : <Domain/variable/setup.exe>.
Craig Schmugar, Researcher at McAfee, wrote in a blog that some weeks ago, Koobface had added DNS hijacking functionality that blocked access to the security sites, convincing users that something serious might have happened with their systems, as reported by eWeek SECURITY WATCH on July 16, 2010.
He further commented that since then, the malware authors had taken a huge leap toward invasiveness with the installation of a bogus antivirus Trojan. About 10 minutes after the initial infection, users usually get to see the fake scanning windows and infection alert messages such as its all downhill from here.
The Trojan serves as an HTTP proxy and configures Internet Explorer to forward HTTP requests through that proxy, he added. It further blocks the access to everything except the site to buy the fake antivirus software and adult entertainment sites.
Simultaneously, it also blocks the other elements of Koobface designed to display pop-ups and redirects search result links, leaving the user with only Koobface created pop-ups that display false error messages.
Commenting on the issue, researchers further state that majority of Koobface infections come from those users who "choose" to run the virus. They are trapped by the social engineering used by the authors, who prey on people's and interest and desire to view some appealing videos.
Related article: Spike in Attacks Causes Early Release of Windows Patch
» SPAMfighter News - 30-07-2010