Koobface Launches Christmas-Themed Malicious Campaign

Security researchers warn that the creators of the Koobface worm have launched a new campaign on Facebook, which uses Christmas as a lure to infect users. This new version makes full use of the component deployed in November, which imitates human behavior.

The Koobface worm is one of the most notorious and long time running cybercriminal operations on the Internet. In the "Cybercrime Showcase" section of the Cisco 2009 Annual Report, Koobface is listed as the "winner" for the "Most Notable Criminal Innovation" category.

Koobface relies a lot on social engineering and was specifically designed to target social network websites. In essence, it spreads by posting links to fake videos on YouTube-look-alike Web pages. The users who follow these links are served an executable file for download. This file is passed as a Flash player upgrade or a special codec required to view the video, but in reality is the worm's installer.

After it infects a computer, the worm steals Facebook login credentials and uses them to post more malicious links. Additionally, it joins a botnet, which is controlled to send spam or silently install other malware.

Due to the social engineering element, the Koobface authors are constantly on the lookout for attractive themes to use their campaigns. Holidays and other popular events are always abused and as expected, this year's Christmas makes no exception.

"The bait is basically the same for this run: posts supposedly published by another user are suggested to be a link to a video. Clicking the link leads to the fake YouTube page typical of KOOBFACE attacks, only this time the page is presented as a Christmas-themed video," Trend Micro warns.

The Koobface gang has been preparing for this campaign since November, when they deployed a new component for the worm enabling it to behave like real users. This helps the new Koobface versions avoid Facebook's filters or looking suspicious to legit users.