14 DAY TRIAL // Virus analysts from Panda Security warn of a new variant of the infamous Koobface worm, which was released on the popular Facebook social network. Its authors have changed the template of the spam messages, but, most importantly, have adopted the scareware model.
Koobface is a computer worm that first appeared during July 2008 and initially targeted Facebook and MySpace users. It extensively employs social engineering techniques and steals social networking accounts. Different versions of this worm have also been seen spreading on Hi5, Bebo, Friendster, Tagged, MyYearBook, or Fubar.com.
The new variant, dubbed Boface.BJ by Panda, specifically targets Facebook users through spam messages enticing them to go see video files on a YouTube-clone website. The page is actually called "YuoTube," an intentionally misspelled name of the popular video-sharing service, which might go unnoticed to users not paying enough attention.
The page displays an image resembling an embedded video file, with a Flash Player update alert reading, "This content requires Adobe Flash Player 10.37. Would you like to install it now?" Clicking on the "Install" button is obviously not a good idea, as it prompts the download of a file called setup.exe, which is actually a component of the worm.
Once installed onto the computer, Boface.BJ monitors web browser activity for Facebook sessions in order to steal the login credentials. Once a new account is compromised, the worm uses it to send the spam messages to people in the friends list associated with it.
The motivation behind this attack is, as usual, illegal monetary gains. This is achieved by downloading and installing fake security applications on the compromised computers. These programs, more commonly known as scareware or rogueware, constantly display alerts about infections allegedly detected on the system. However, in order to deal with these fictitious threats, the user is encouraged to acquire a license for the useless program.
Panda security researchers report that the prevalence of the Koobface worm has been on an abrupt decrease since mid-April. This new variant might represent the authors' effort to rebuild the number of compromised accounts/computers and respond to Facebook's filters and cleaning campaigns.
The number of infections with Boface.BJ is expected to take off during the upcoming months. Facebook users are therefore urged to exercise caution when choosing to visit links that are sent to them on the social network, even if the messages come from their friends.
