Experts Warn Koobface Eying More Social Sites

Malicious hackers are continuing their attacks on social networking sites, with a new variant of the Koobface worm now spreading its assault on a new crop of the popular sites.

Facebook has already been in Koobface’s crosshairs since last year. But now it’s widened its attack to include MySpace, Bebo, Friendster and MyYearbook, according to Jamz Yaneza, threat research manager at antivirus vendor Trend Micro.

The new variant of the worm, which Trend Micro calls Worm_Koobface.AZ, spreads over e-mail to potential victims on social networking sites. The virus steals cookies from victims’ Web browsers, giving them access to users’ preferences, and, in some cases, passwords, Yaneza told

While social networking sites rely on encrypted browser cookies, Koobface sends these cookies to a hacker-controlled Web site, where they try to decrypt the cookies, Yaneza said.

“Once the cookies have been decrypted, the worm can masquerade as the user, then send links to the user’s friends that will take them to sites containing malware,” he added.

The approach takes hackers beyond the need to design Facebook applications that target victims, as they did recently in the “Error Check System” attack, Yaneza said. While such apps can spread quickly by disguising themselves as communications from friends, social networking sites can disable and block them with relative ease.

So far, social networking sites say the worm has yet to pose a significant threat. A MySpace spokesperson told that the site is already secured against Koobface and has not yet received any complaints from users about the worm.

“We identified the original variant in August and scrubbed the system, and have technology in place to identify and remove the virus very quickly and our users aren’t harmed,” she said.

A Friendster spokesperson said their site has not seen an impact from the worm, while Facebook and Bebo had not responded to requests for comment by press time.

Security experts say social networking sites are a tempting target because the attackers can easily reach thousands, if not millions, of victims.

“They get more bang for their buck,” Trend Micro’s Yaneza said.

Last month, spammers hijacked a Facebook group with 1.5 million users.

That trend also poses concerns for enterprises, many of whom have users of social networking sites.

“If you connect to your social networking site from work, you’re not safe,” Roger Thompson, chief research officer at antivirus vendor AVG, told “You’ve opened a link through your firewall.”

Burrowing in to attack

The latest variant of Koobface is particularly difficult to remove. The worm, which Trend Micro said runs on Microsoft (NASDAQ: MSFT) Windows 98, ME, NT, 2000, XP and Windows Server 2003, digs in by launching a rootkit attack, moving deep into the operating system of the victim’s computer and resisting attempts to remove it, AVG’s Thompson said.

“If it’s hiding in a particular directory and an antivirus application browses that directory, it removes itself from the list of files returned to the antivirus software,” he said.

The hackers behind Koobface.AZ spread the virus using e-mails with a variety of enticing subject lines. One AVG has seen is message urging potential victims to get the new Adobe (NASDAQ: ADBE) update, Thompson said.

“That’s a good trick and, given that Adobe has recently begun issuing patches for vulnerabilities, they’re likely to download it.” Adobe has recently been hit by well publicized vulnerabilities in its Acrobat, Reader and Flash Player applications, leading to a number of patches.

A Trend Micro researcher found another come-on — the familiar invitation to click on a link to view a video. But this message appears to have been sent by a friend, he wrote in a blog post, with the video supposedly having been posted by the sender and hosted on a page that displayed their name and the photograph from their Facebook profile.

As a result, users should beware of any link sent them either by e-mail or through their social networking site, Trend Micro’s Yaneza said.

“If the URL points to a site outside your social networking site, don’t click on it,” he said.

News Around the Web