By JR Raphael
November 12, 2009

SAN FRANCISCO – Hot on the heels of a reported hijacking of hundreds of Facebook groups, a new variation on an old worm is crawling its way into the social network’s walls. Attackers have released an updated, more intelligent version of the notorious Koobface virus, security analysts say–and anyone could become its next victim.

The Facebook Hijack

First, the hijacking: An organization called “Control Your Info” apparently took control of as many as 300 Facebook groups over the past several days. Members added their own logo onto the pages, announcing they’d “hijacked” the groups and providing a link back to their own site.

(Facebook maintains no confidential information was ever exposed–the affected groups, representatives say, were abandoned and open for any member to take over.)

The “Control Your Info” Web site states that the organization’s mission was to expose security holes in social media–a fitting segue to today’s new threat.

Facebook’s New Concern

The new threat has a familiar name. Koobface–which, by the way, is an anagram of the word Facebook–first popped up in mid-2008 and has been pestering users ever since.
The worm typically works by taking over your PC, then sending messages or wall postings to your friends. The messages include links to what appear to be funny videos or risqué photos of people you and your friends know. Anyone who follows the links, however, will ultimately end up infected with the malware themselves–usually by way of a bogus software update that pops up on-screen.

The updated Koobface variation, according to the virus-fighting team at Trend Micro, takes things a step further by automating the entire process. Instead of depending solely upon real accounts to spread the malicious links, the attackers have found a way to have bots do their bidding.
Here’s how Trend Micro says it’s happening: Botnets are registering new Facebook accounts and confirming them via accompanying Gmail addresses, all without any human interaction. The zombie accounts are then joining Facebook groups, adding friends, and posting dangerous links onto those people’s walls.

“This new component behaves like a regular Internet user that starts to connect with friends in Facebook,” explains Jonell Baltazar, an advanced threats researcher with Trend Micro. “The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books.”

The system is even advanced enough to monitor maximum friend levels allowed by Facebook, Baltazar says, to avoid drawing any attention to the ill-intended account.

Facebook Protection

So, what can you do to keep yourself safe from this Koob-faced villain? The steps are nothing you haven’t heard before: Keep your antivirus software up to date, and use some common sense.

Antivirus software will alert you if you click onto a site that’s known to host malware — and that’s exactly where these Koobface links want to take you. The easiest way to stay safe, then, is just to be cautious in choosing what you click.

If you see a link that looks questionable, even if it’s from someone whose name you know, don’t follow it. And if you find yourself on a Web page that’s asking you to download a software update, don’t do it. Instead, close the window and go directly to the software vendor’s own Web page to see if the update is the real deal.

Otherwise, you might end up with Koob smeared all over your face–and, suffice it to say, that’s one fate you’d be better off avoiding.

The email, which has the subject line ‘Remembering Michael Jackson’ and claims to come from ‘sarah@michaeljackson.com‘, says that an attached ZIP file – titled ‘Michael songs and pictures.zip’ contains secret songs and photos of Michael Jackson.

A sample of the Michael Jackson-themed e-mail  borne out of the latest malware ( click image for a larger view )

However, by opening the attachment, computer users are exposed to infection.  Once infected, a computer will begin automatically spreading the worm onto other internet users.  Besides spreading via email, Sophos experts note that the malware is also capable of spreading as an Autorun component on USB memory sticks – an increasingly common trend for malware, as use of these devices becomes more and more popular.

“In light of the huge interest in Jackson since his sudden death, there are likely to be many computer users who are tempted into opening the attachment,” said Graham Cluley, senior technology consultant at Sophos. “But sensible computer users should by now be well aware that cybercriminals will be quick to exploit news events to spread malware and spam.  Anyone who receives this email should delete it immediately to save themselves the embarrassment of infecting their email contacts.”

Sophos detects the malware proactively as Mal/ZipMal-B and Mal/VB-AD, and recommends that users of other anti-virus products ensure that their defences are properly updated.