A new Koobface variant has been detected spreading in the wild and has been analyzed by security researchers from the University of Alabama at Birmingham (UAB). The analysis revealed that illegal money schemes used by its creators include scareware distribution and click fraud via rogue affiliate advertising programs.
Koobface is a social networking worm that spreads on websites such as Facebook, MySpace, Bebo, hi5, Tagged, Netlog or Twitter by posting malicious messages from hijacked accounts. Computers infected with this malware join together to form a botnet, which is currently estimated to be one of the largest in the world, comprising over 2.9 million compromised computers in the U.S. alone.
This new Koobface variant doesn't differ much from its past versions, at least as far as the social engineering component is concerned, suggesting that it is still a successful technique and that users are not educated enough. Spam messages posted on social networking sites from compromised accounts have links to pages allegedly containing videos.
These fake pages ask unwary visitors to install a Flash Player update in order to view the video, which is actually the worm's installer. Once installed on the computer, the worm proceeds to monitor browsing sessions and steal login credentials for social networking accounts, which it will later use to post more spam.
In order to make money using Koobface, its creators employ it as an installation platform for other malware, such as rogue security applications. These programs, also known as scareware or rogueware display bogus security alerts that inform the computer owner that his machine is infected, and in order to clean it, they have to acquire a license for the fake antivirus.
Another money generating scheme involves installing a click fraud trojan, which hijacks Google Search results and randomly forces the links to point to advertising websites. "Several of the pages we were redirected through are legitimate advertisement affiliate programs, which pay webmasters for referring traffic to their sites," Gary Warner, director of research in Computer Forensics at UAB, explains
One interesting aspect is that all these redirects occur through a list of predefined IP addresses and host names, including fire[expletive]eye.com and [expletive]briankrebs.com. These two domain names are direct references to The Washington Post journalist Brian Krebs, who maintains the Security Fix blog, and the security research company FireEye.
"It's a personal feather in the cap, knowing that on some level we made cyber crime more difficult," commented Alex Lanstein, senior security researcher at FireEye, regarding the domain names. However, taunting security researchers seems to have become something that the Koobface authors enjoy doing on a regular basis.
A message hidden inside a July variant
of the worm ironically read "We express our high gratitude to Dancho Danchev for the help in bug fixing, researches and documentation for our software." Mr. Danchev is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations.