14 DAY TRIAL // Security researchers from Trend Micro warn that a new version of the infamous Koobface worm is spreading on Facebook via direct messages. The spam lures users onto a malicious website by claiming that someone posted a video of them on YouTube.
Koobface is the father of all social networking worms and one of the most longest-running computer worms in general. Originally developed for MySpace, the worm has now separate versions for most social networks including Facebook, Twitter, hi5, Bebo or Friendster.
Koobface steals login credentials from its victims in order to propagate itself by spamming all of their social networking friends. The worm's spam campaigns are characterized by complex social engineering, usually involving a Flash Player upgrade or special video codec lure.
The latest version reported by Trend Micro is no different in this respect. The spam messages read "Someobdy upload a vdieo wtih you on utbue. you shuold see" followed by a link of the form http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/.
The misspelling of the words is intentional and has been done to evade Facebook's automatic spam filters. The technique is based on the fact that humans read words as a whole and is only necessary for the first and last letters to be in correct order for the brain to deduct a particular word.
The link is also a well thought trick and leverages the fact that people only tend to read the beginning of the links they click on. To exploit this it redirects the malicious URL through Facebook's preview page, which causes the link to start with www.facebook.com.
Clicking on the link take users to a page displaying an image mimicking the YouTube player with a pop-up box that asks for a Flash Player update. Clicking anywhere on the image prompts the download of a malicious executable file detected by Trend Micro as WORM_KOOBFACE.IC.
"This malicious site is actually hosted on multiple IP addresses (from Facebook, users go to a redirection script that point them to different IP addresses. They all have a common payload though […] Like many previous KOOBFACE variants, this is used to download malware onto the user’s system. At least one of these—TROJ_JORIK.D—installs what appears to be a webserver, possibly restarting the KOOBFACE infection chain," Jonathan Leopando, technical communications specialist at Trend, notes.
You can follow the editor on Twitter @lconstantin