14 DAY TRIAL // Security researchers from Web and email security provider Websense have spotted a new private message spam campaign on Facebook distributing the notorious Koobface worm.
The messages have a subject of "Check out the movies wsith yor ass in it" and advertise a link that leads to a bit.ly shortened URL through Facebook's open redirector.
Facebook's redirect script, through which all external links are normally passed, has been increasingly abused lately to bypass spam filters.
The spammed link takes users through a series of redirects that check if they come from facebook.com. If they are, they land on the attack page, if not, on Google News Canada.
In traditional Koobface style, the landing page displays a fake video player with a message reading "This content requires Adobe Flash Player 10.37. Would you like to install it now?"
This "required Flash update" social engineering trick is one the Koobface authors pretty much pioneered and used on a large scale. It has since been picked up by many other cybercriminals.
Pressing the Install button to get the alleged update, serves a Koobface variant currently detected by only 16 out of 43 antivirus engines on Virus Total.
Koobface is the father of all social networking worms and dates back to 2007, which makes it one of the longest running computer worms in history.
The threat has separate versions for multiple social networks including, MySpace, Twitter, hi5, Bebo or Friendster, but the worm is most active on Facebook.
Nick Bilogorskiy, malware researcher at Facebook, estimated last year that the Koobface authors earned on average $35,000 per week in 2009, which adds up to $1.8 million for the entire year.
This explains why the gang tries to keep the botnet alive with constant improvements to the malware and new social engineering techniques.