Monday, March 2, 2009

New Variant of Koobface Worm Spreading on Facebook

Via TrendLab's Malware Blog -

I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure.

What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”.

Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.


Graham Cluley of Sophos has a few great suggestions for Facebook...

My proposal would be that Facebook application developers would need to jump through several hoops before they were approved to unleash their applications on the networks' 150 million plus users.

The first thing would be that anyone wanting to write a Facebook application would have to prove their identity and contact details. Yes, you heard me - not just an email address!

And then they sign an agreement with Facebook, accepting their terms and conditions, before they can become an authorised Facebook third-party developer.

After all, I remember writing an application for Facebook as an experiment and was amazed that within minutes it was available for the whole world to run, without Facebook having to know anything about me other than a webmail address.

No comments:

Post a Comment