Microsoft Tackles Anti-Social Networking Worm

On March 10, 2009, Microsoft released its monthly batch of security bulletins. Accompanying the no less than eight patch releases for Windows is a new version of the Malicious Software Removal Tool. The March 2009 version of MSRT is designed to tackle a worm that the software giant has deemed nothing short of anti-social networking. Dubbed Win32/Koobface, the malicious code with worm behavior is in fact a collection of components each capable of different functionality. The Redmond company warned that the Koobface binaries detected have been targeted for various social networking hotspots including: Bebo, Facebook, Friendster, Fubar, Hi5, MySpace, Myyearbook, Netlog, Tagged.

“The Win32/Koobface authors appear to have that covered via a component which acts as a web server. This allows the initial component to be hosted on numerous affected machines,” revealed Scott Molenkamp, from the Microsoft Malware Protection Center. “Variants of Win32/Koobface which attempt to send messages via social networking websites leverage the login credentials stored as browser cookies. However this is not the only way Win32/Koobface components try to manipulate and leverage their foothold on a given machine.”

Microsoft informed that the Koobface malicious elements were capable of performing complex tasks including downloading additional malware, but also web hosting spoofed, malicious pages; and even harvesting passwords, but also displaying popups and of course contacting members of the social networking websites mentioned above with various messages. The worm was initially discovered almost a year ago, in May 2008. Since then the malicious code has evolved consistently, being able to take advantage of additional attack avenues as well as new social engineering techniques.

“Many Koobface variants have the ability to download and execute arbitrary files. In some cases, variants of Win32/Nonaco may be installed. There is more than this circumstantial link which suggests that Nonaco is written by Win32/Koobface authors. The MMPC has also observed variants of the password stealer Win32/LdPinch installed on a machine affected by Koobface,” Molenkamp added. “For a malware family which is best known for sending messages via social networking websites such as Facebook, we can see that the Win32/Koobface family encompasses a diverse set of components, each yielding distinct benefits to the operators.”


Malicious Software Removal Tool is available for download here.