14 DAY TRIAL // The cyber-criminal gang behind the notorious Koobface social-networking worm have included a hidden greeting card for the security community in one of their latest campaigns. The attached message talks about the gang's "achievements" and names several security researchers.
Koobface is one of the longest-running and most successful worms on the Internet, partly because of the huge efforts that go into maintenance and features upgrade by its creators. First launched on MySpace, versions of the worm are now active on a wide array of social networking sites, including Facebook, hi5, Bebo, Friendster or Twitter.
The worm hijacks accounts from the systems it infects and uses them to send spam to people in their friend lists in order to propagate. The Koobface campaigns rely heavily on social engineering and the worm is used as deployment platform for other malware, who's authors pay the Koobface gang for every installation.
"Researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting, directed at the security community," writes Alex Eckelberry, the CEO of Sunbelt Software. "The Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed […] background on Koobface-infected hosts, but it has also included a 'Wish Koobface Happy Holidays' script," adds Dancho Danchev, an independent security consultant and active Koobface tracker.
However, more interesting is the message included with the image, which according to Mr. Danchev, is the longest ever to come from the Koobface authors. "Our team, so often called 'Koobface Gang,' expresses high gratitude for the help in bug fixing, researches and documentation for our software to," the message starts and goes on to enumerate several security researchers and companies including Kaspersky Lab, Trend Micro, Dancho Danchev and Soren Siebert.
Facebook's Security team who is constantly fighting new versions of the worm has not been left out. "It was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system," the Koobface gang writes.
Dancho Danchev in particular has been the target of hidden messages left by the Koobface authors before. His name was also incorporated in rogue and most of times offensive domain names associated with the operation. "In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - 'I've got you under my skin.' They'll get the point," the researcher writes on his blog.
