14 DAY TRIAL // A new Koobface campaign gathers statistics about people who land on the fake video pages pushing the malware. The worm's authors have embedded code from a free visitor tracking service.
Koobface is a computer worm, which spreads on social networking websites. Originally launched in mid-2008 on MySpace, different variants of the malware have since been launched on a variety of social networks, including, but not limited to Facebook, Twitter, hi5, Bebo or Friendster.
Koobface is one of the most successful computer worms in history, which is mainly because of the impressive efforts put into its maintenance. The gang behind the worm always strives to come up with new tricks to infect users or methods to evade detection and make takedown attempts harder. These improvements have ranged from imitating human behavior to implementing peer-2-peer botnet control capabilities.
Now, the malware analysts from Trend Micro warn that visitor tracking features have been added to the fake YouTube-like landing pages used by the worm to social engineer users into infecting themselves. "A few days ago, these pages started to include a short JavaScript code, which enables the KOOBFACE gang to directly monitor page hits. The tracking code is located at the very bottom of the pge, which was pushed way below by a lot of <br> tags," Joey Costoya, an advanced threats researcher at Trend, writes.
The new code comes from a service called eXTReMe Tracker, which is most likely being abused by the worm's authors. According to the Trend experts, who obtained access to the rogue tracker account, the Koobface gang started tracking visitors on July 28 and so far 126,717 unique visitors have been recorded.
The peak was registered on Saturday, when 40,526 users landed on the infected pages. However, this doesn't mean that all of them ran the malicious setup####.exe (where # is a digit) being served. Hopefully, some of the visitors had antivirus protection on their computers which alerted them of the threat, while others caught on the scam in time.
You can follow the editor on Twitter @lconstantin