While summer might be a slower time for much of the economy, malware doesn’t seem to be interested in taking a vacation. The Koobface worm, for example, which first made headlines last year as an attack against Facebook, grew by more than 300 percent last month.
According to security vendor Kaspersky, there were 324 Koobface variants that the company detected in May, while in June the number skyrocketed to nearly 1,000 by the end of the month. Part of the reason for the growth of Koobface variations is the fact that the worm no longer limits itself to just attacking Facebook users.
“The bad guys behind Koobface are constantly upgrading their malicious code, adding new functionality to Koobface,” Stefan Tanase, Security Researcher at Kaspersky, told InternetNews.com. “If one year ago, when Koobface first appeared, it only targeted the users of Facebook and MySpace, right now it is spreading through more social networking websites like Hi5, Bebo, Tagged, Netlog and, most recently, Twitter. But a different modification does not necessarily mean new modules to the malware; it can only be a slight change in code, used specifically for evading detection by anti-virus companies.”
Earlier this year, security vendor Trend Micro reported that Koobface expanded from its Facebook base to target MySpace, Bebo and Friendster.
In some cases for malware, variants are created with script kiddie toolkits that enable easy worm creation. That’s not the case with Koobface.
“I have not personally seen or heard about “script kiddie” kits for developing Koobface variants,” Tanase said. “Most probably it is an organized team behind it, but the authors remain unknown.”
Though Koobface now has a wider attack surface than just Facebook, according to Tanase, the strategy is the same. He explained that once a user is infected by way of an infected link, Koobface immediately starts sending messages to the user’s friends or followers advertising more malicious pages that are spreading Koobface. He added that the exact method used in each social network is different, as social networks themselves are different in the way users interact with each other.
Tracking Koobface
One way that Kaspersky is tracking the growth of Koobface is by way of social media honeypot accounts. Those are accounts set up for the express purpose of tracking and attracting malware.
“Social media honeypot accounts are a good way of getting new variants, but it’s not the only one, nor the best one,” Tanase said. “For example, we are constantly monitoring malicious URLs that are spreading Koobface, sometimes getting new variants that are uploaded there even before the bad guys start using them in the wild.”
To date, tracking Koobface attacks has been all about one operating system, Microsoft Windows. Users of other operating systems are not at risk, but that could change.
“We have not seen Koobface binaries targeting other operating systems than Windows so far, but as functionality is increasing we are not ruling out this possibility in the future,” Tanase said. “One of the latest additions to Koobface was a DNS-changer module, and while DNS-changers are the major threat to Mac users right now, Koobface does not target them yet.”
Protecting Windows PC users against Koobface requires a multi-layered approach. In May, Roel Schouwenberg Senior antivirus researcher at Kaspersky, told an Interop session that in his view, Twitter was actually making people less secure by encouraging them to click on links.
The human factor in Koobface prevention is also one that Tanase sees as being a key aspect.
“Yes, an up-to-date anti-malware or internet security product like Kaspersky Lab is offering is more than helpful, being one of the main defense mechanisms, but users should also increase their level of security awareness,” Tanase said. “Most of the times, the problem actually lies between the computer screen and the chair, and the human mind is one of the hardest things to patch.”