Getting Friended By Koobface
You know you've attracted the attention of online troublemakers when they start using their malicious software to taunt you by name.
Such is apparently the case with the latest version of Koobface, a worm that spreads on Facebook, Twitter and other Web 2.0 sites and turns infected systems into bots that can be used for a variety of improper and possibly criminal purposes. According to an analysis performed on the malware by researchers from the University of Alabama at Birmingham, the latest version references a domain that begins with an expletive and ends with ...briankrebs.com (if you figure it out please DO NOT visit this Web site, as you could pick up a malicious program).
I suppose I should be flattered, as I'm in good company: According to the researchers, this Koobface variant also forces infected systems to call out to another domain that drops an expletive in the middle of fire...eye.com (again, please stay away from that domain). No doubt, this a dig at FireEye, a Milpitas, Calif. company that has published a great deal of key research some of the top spam botnets this past year.
"It's a personal feather in the cap, knowing that on some level we made cyber crime more difficult," said Alex Lanstein, senior security researcher at FireEye. "Playing whack-a-mole with [botnet control] servers is a losing battle, but shining a light in the dark corners of the net and raising awareness of just how dumb these guys can currently afford to be is obviously having an impact."
UAB researchers said they found a link being posted on Facebook.com that redirects anyone who clicks it to a constantly refreshed list of 100 infected Web pages, each of which looks like a Facebook page, but drops malware when you try to play the video on the page.
The malware installs a rogue anti-virus product, along with a malicious program designed to hijack a portion of the victim's Google search results, ostensibly as a way to earn click fraud money for the attackers.
As a result of the search hijacking, the university researchers found that victims of this version of Koobface may find it difficult to visit the Security Fix blog, among other sites.
"If you do a Google search, you get your normal results, but then if you actually try to click on any of the links, there is a 'random chance' that you will be redirected to another site," wrote Gary Warner, director of research in computer forensics at the school, in an e-mail to Security Fix. "So, for example, we Googled 'Brian Krebs,' got Security Fix as our top result, clicked on your link, which showed up right with a 'floatover'. Instead of going to the post though, we contacted a site called 'findy31.com' and then ended up at 'strikingoffers.com'," (again, please refrain from visiting these domains).
August 31, 2009; 7:57 PM ET
Categories: Fraud , From the Bunker | Tags: alex lanstein, fireeye, gary warner, koobface
Save & Share: Previous: Snow Leopard's Anti-Malware Feature
Next: What To Do When Scareware Strikes
Posted by: nick7 | August 31, 2009 11:43 PM | Report abuse
Posted by: Snapper24 | September 1, 2009 10:34 AM | Report abuse
Posted by: ihatelogins | September 1, 2009 12:33 PM | Report abuse
Posted by: tcronin-astaro | September 1, 2009 2:20 PM | Report abuse
Posted by: coiaorguk | September 1, 2009 2:26 PM | Report abuse
Posted by: amthmi | September 1, 2009 4:27 PM | Report abuse
Posted by: davidwg46 | September 1, 2009 7:32 PM | Report abuse
Posted by: lembark | September 1, 2009 10:48 PM | Report abuse
Posted by: wilmington10 | September 2, 2009 5:29 AM | Report abuse
Posted by: lembark | September 2, 2009 10:43 PM | Report abuse
The comments to this entry are closed.