By JR Raphael
November 12, 2009

SAN FRANCISCO – Hot on the heels of a reported hijacking of hundreds of Facebook groups, a new variation on an old worm is crawling its way into the social network’s walls. Attackers have released an updated, more intelligent version of the notorious Koobface virus, security analysts say–and anyone could become its next victim.

The Facebook Hijack

First, the hijacking: An organization called “Control Your Info” apparently took control of as many as 300 Facebook groups over the past several days. Members added their own logo onto the pages, announcing they’d “hijacked” the groups and providing a link back to their own site.

(Facebook maintains no confidential information was ever exposed–the affected groups, representatives say, were abandoned and open for any member to take over.)

The “Control Your Info” Web site states that the organization’s mission was to expose security holes in social media–a fitting segue to today’s new threat.

Facebook’s New Concern

The new threat has a familiar name. Koobface–which, by the way, is an anagram of the word Facebook–first popped up in mid-2008 and has been pestering users ever since.
The worm typically works by taking over your PC, then sending messages or wall postings to your friends. The messages include links to what appear to be funny videos or risqué photos of people you and your friends know. Anyone who follows the links, however, will ultimately end up infected with the malware themselves–usually by way of a bogus software update that pops up on-screen.

The updated Koobface variation, according to the virus-fighting team at Trend Micro, takes things a step further by automating the entire process. Instead of depending solely upon real accounts to spread the malicious links, the attackers have found a way to have bots do their bidding.
Here’s how Trend Micro says it’s happening: Botnets are registering new Facebook accounts and confirming them via accompanying Gmail addresses, all without any human interaction. The zombie accounts are then joining Facebook groups, adding friends, and posting dangerous links onto those people’s walls.

“This new component behaves like a regular Internet user that starts to connect with friends in Facebook,” explains Jonell Baltazar, an advanced threats researcher with Trend Micro. “The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books.”

The system is even advanced enough to monitor maximum friend levels allowed by Facebook, Baltazar says, to avoid drawing any attention to the ill-intended account.

Facebook Protection

So, what can you do to keep yourself safe from this Koob-faced villain? The steps are nothing you haven’t heard before: Keep your antivirus software up to date, and use some common sense.

Antivirus software will alert you if you click onto a site that’s known to host malware — and that’s exactly where these Koobface links want to take you. The easiest way to stay safe, then, is just to be cautious in choosing what you click.

If you see a link that looks questionable, even if it’s from someone whose name you know, don’t follow it. And if you find yourself on a Web page that’s asking you to download a software update, don’t do it. Instead, close the window and go directly to the software vendor’s own Web page to see if the update is the real deal.

Otherwise, you might end up with Koob smeared all over your face–and, suffice it to say, that’s one fate you’d be better off avoiding.

Kaspersky Lab recently saw an explosion of Koobface modifications throughout the month of June, due to summer and vacations across the northern hemisphere. In just one month, the number of variants detected jumped from 324 at the end of May 2009 to almost 1000 by the end of June 2009.

Koobface, the infamous worm, was first detected by Kaspersky Lab as Net-Worm.Win32.Koobface, and it instantly became popular when it appeared almost one year ago targeting Facebook and MySpace accounts. The Koobface worm is spreading through a legitimate user’s account to their friends’ profiles. Comments and messages sent by the worm contain a link to a fake YouTube-style Web site which invites users to download a “new version of Flash Player”. The worm, rather than a media player, is then downloaded to victim machines. Once a user is infected, he or she will start spreading such messages to his or her friends. In the meantime, the functionality of the worm has been extended. Koobface is now targeting more social networking Web sites like Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and, most recently, Twitter.

As social networks such as Facebook or Twitter are becoming increasingly popular, attacks targeting them are also gaining momentum.

“This sign of increased cybercriminal activity involving social networks in the past month proves that the strategies being used by the bad guys to infect users are much more efficient when adding the social context to their attacks,” says Stefan Tanase, Malware researcher of Kaspersky Lab. “June 2009 marks an important milestone in the evolution of social networking malware — the activity we’ve seen this month exceeds by far any other month in the past.

Kaspersky Lab would like to give a few tips for Users:

• Be cautious when opening links coming through suspicious messages, even if the sender is one of your trusted Facebook friends.
• Use either Internet Explorer 7 running in protected mode or Firefox with NoScript installed.
• Divulge as little personal information as possible. Do not give out your home address, phone number or other private details.
• Keep your antivirus software updated to prevent new versions of malware from attacking your computer.

Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Net-Worm.Win32.Koobface. Kaspersky Lab’s global team of analysts are keeping a close eye on all threats coming from the social networking space, monitoring the malicious activity and constantly updating the protection customers receive.

Secure content management solutions developer. Kaspersky Lab, has announced that it has detected its 25 millionth malicious program.

Every year, the number of IT threats increases exponentially. Kaspersky Lab recently forecast a ten-fold increase in malicious programs, from 2.2 million in 2007 to 20 million in 2008. However, the rate of growth demonstrated by the cybercrime industry has surpassed even the most exaggerated predictions.

A new modification of Koobface was detected by the specialists at Kaspersky Lab on 9 June and became the 25 millionth malicious program added to the company’s antivirus databases. Net-Worm.Win32.Koobface targets users of the popular social networking sites Facebook and MySpace. This latest version of Koobface confirms earlier predictions by Kaspersky Lab that social networking sites would be the target of more and more IT threats.

The worm uses a simple propagation method: users of social networking sites receive what appears to be a message from a friend containing a link to a video clip on an unknown site. When users attempt to play the video, they are prompted to update Flash Player. Instead of an update, however, a Koobface worm is installed that contains backdoor functionality allowing instructions from a remote management server to be run on the computer.

The proliferation of the Koobface family confirms what Kaspersky Lab has been saying for some time – malicious programs are becoming more and more numerous and they are using increasingly sophisticated technology. The company’s experts correctly predicted back in early 2008 that web fraudsters would be concentrating more of their efforts on social networking sites. It is also evident that the technical concepts behind these new threats are increasingly complex. In order to effectively combat modern malware such as Koobface, an integrated antivirus solution is needed that provides effective multilayered protection.

All consumers using Kaspersky Lab’s personal or corporate products are fully protected against all known versions of Net-Worm.Win32.Koobface.