New variant employs advanced social engineering techniques

Mar 2, 2009 10:40 GMT  ·  By

Researchers from antivirus vendor Trend Micro are warning against a new variant of the infamous Koobface worm that is targeting social networking users. While developing the new version, the worm writers have paid a lot of attention to details in an attempt to make their scheme as believable as possible.

Koobface is a worm initially launched on Facebook, which later extended to other social networking services including MySpace, hi5, Friendster, Bebo, MyYearBook, Tagged, Netlog, Fubar and LiveJournal. Due to its intended audience, the worm relies heavily on social engineering techniques in order to propagate.

Its most common behavior involves posting messages from compromised accounts to the users in their friends list, enticing them to visit a malicious link. The spammed URL directs to a website masquerading as a popular video-sharing service such as YouTube.

In some variants, the attackers have even used pages hosted on legit services, such as Google Picasa Web Albums. However, while this increases the credibility of the campaigns, it shortens their life span, as such abusive accounts are disabled by the service admins rather quickly. The malicious pages claim to have an embedded video file, which is actually a linked image that prompts the download of a fake video codec.

In the example presented by the Trend Micro researchers, the message spammed by the compromised accounts reads "Thiss is a vvideo with you on the street," and is obviously accompanied by a link. The terms are intentionally misspelled in order to trick the filters enforced by the social networking service.

The link opens a good replica of YouTube displaying a video allegedly posted by the person who has sent the message. "In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering," Rik Ferguson, solutions architect at Trend Micro, writes.

The fake embedded video displays a legit-looking alert that reads "The content requires Adobe Flash Player 10.37. Would you like to install it now?" Clicking on the Install button prompts the download of the worm installer.

The new variant is detected by Trend Micro as WORM_KOOBFACE.AZ and its playload involves stealing the login credentials for several social networking accounts, as well as sending spam messages to other users. It also installs a botnet client, which connects to a command-and-control server and listens to commands.