by Kevin M Nixon, MSA CISSP® CISM® CGEIT®
Social Networking sites (Facebook, MySpace, Bebo, LiveJournal, etc.) are under attack by a variation of the Koobface worm which began to spread in August ‘08. This new variant, tracked as WORM_KOOBFACE.AZ has the potential of a fast infection rate. Most importantly, after propagating itself from the infected device, the Worm remains active on the user’s computer transmitting the computer’s data, settings, control information, and system information to over 300 international collection sites.
Readers should search their computer protection software provider’s website and locate instructions for WORM_KOOBFACE.AZ. Please note that this is a variation of HTML_KOOBFACE.BA. The patches and DAT files for the HTML variant do not protect against the WORM variant!
CURRENT FIX:
No Automatic Patches currently available from Protection Vendors. Manual counter-measures are available.
TYPE MALWARE:
Worm – Self-Spreading
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
INFECTION METHOD:
Hyperlink-Social Engineering.
Computer user receives a message which may contain the subject line “Thiss vvideo witth you on the streeet.” User may receive the message via a "Online Inbox” located on the social network site, or any online web-based email, smart phone/PDA, or regular email application loaded locally on the computer.
HOW IT WORKS:
The message is sent to you by someone you know. The hyperlink in the message takes the user to a “fake site” supposedly hosting a video posted by the same “friend known to the user” in a Facebook (or other Social Network) message from. The message not only contains the hyperlink to the “fake site”, it also displays the “friends” name and photo from the Facebook profile. A very clever little piece of social engineering.
Although the worm originates from a Facebook account from a person known to the user, the user receiving the message does not need to be a member of Facebook.
Other origination points include but are not limited to:
- facebook.com
- hi5.com
- friendster.com
- myyearbook.com
- myspace.com
- bebo.com
- tagged.com
- netlog.com
- fubar.com
- livejournal.com
- YouTube.com
WHAT IT DOES:
After clicking on the link, the user is redirected to an IP Address which contains the “fake social network friend page”. Upon arriving at the site, the user is prompted to update the Adobe Flash Player. The “fake update” installs the worm on the user’s computer.
WORM_KOOBFACE.AZ propagates through other networking sites by using “cookies” stored on the user’s computer.
The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers.
This allows hackers to execute commands on the affected machine. Currently there are over 300 International data collection sites containing this worm!
© Copyright 2009 – Kevin M. Nixon – All Rights Reserved – See: Information Security Resources
(This article may be reprinted in whole or in part only with proper attribution to the author.)
