Koobface worm variant circulating on Facebook

Share this article:

Facebook last month was awarded $873 million in damages against a spammer but the problem of junk mail continues to plague users of the social networking site as reports of a new variant of the Koobface worm is making the rounds, according to McAfee Avert Labs.

The Koobface worm spreads over social networking sites such as Facebook and MySpace and has been circulating on Facebook since the summer. There are currently over two dozen variants of the worm, Craig Schmugar threat research manager for McAfee Avert Labs, told SCMagazineUS.com on Friday.

In this newest variant, users are being spammed Facebook messages with a link to a video in which they are supposedly featured. After following the link, users are redirected to a compromised host and they see an error message requesting that they download an update for Flash Player to view the video. The download is not a Flash Player update but really the Koobface variant, according to a recent McAfee Avert Labs blog post.

Adding to the apparent legitimacy of the emails is that the spammed links leading to the Koobface download are likely to come from infected friends. McAfee warned users not to open any unexpected email attachments, even if they are from someone you know.

Similar tactics were used in October when users were receiving messages with a link to a supposed YouTube video. Upon following the link, userswould be notified they had to install a codec to view the video -- the codec being actually a trojan that installed rogue anti-virus software.

Once a user is infected, the first goal of the virus is to spread to a users' friends. The virus then installs a component that watches infected users HTTP traffic with the intention of hijacking a users' internet search results. 

 

“When you follow a search result link you are not taken where you want to go or expected to go, you are directed where the attacker wants you to go,” Schmugar said.

 

This is mostly just an annoyance for the user, but typically this type of behavior creates revenue for the attackers, who could be paid depending on the amount of traffic they direct to certain sites, Schmugar said.

A very small percentage of Facebook users have been affected, and the Koobface virus should not be problematic for users with up-to-date anti-virus software, Facebook spokesman Barry Schnitt told SCMagazineUS.com Friday in an email. 

“We're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages and coordinating with third parties to remove redirects to malicious content elsewhere on the web,” Schnitt said.

In a Facebook discussion board thread, users have expressed frustration about viruses circulating on the social networking site. One user wrote: “I think Facebook should take a serious look into this. The virus spreads itself through the friends' list. Some of my friends have now been banned, and it is not amusing. Come on administrator(s), do your homework!”

Another user described the infection: “I had a message from a FB (Facebook) contact saying I saw this video of you etc. It diverted me to a site that looked like YouTube. It then stated my video player was out of date and to upgrade it. The moment I did and installed the file, FB began automatically sending messages to my contacts before my eyes.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

POLL

More in Editorial

A long-overdue change

A long-overdue change

Debates about the dearth of women in IT security and, well, a lack of diversity in the field overall, seem to be edging our space closer and closer to some ...

Heart of darkness

Heart of darkness

Just how vulnerable are we to an assault by the NSA, asks Illena Armstrong, SC's VP, editorial.

Can good come from bad news?

Can good come from bad news?

Despite the bullishness around information security planning and budgeting seen in the results of our survey, we're still seeing breaches like those experienced by Target