Koobface Fraud Malware...

September 2009

New Koobface variant drops scareware and click fraud malware.

A new Koobface variant has been detected spreading in the wild and has been analyzed by security researchers from the University of Alabama at Birmingham (UAB). The analysis revealed that illegal money schemes used by its creators include scareware distribution and click fraud via rogue affiliate advertising programs. Koobface is a social networking worm that spreads on websites such as Facebook, MySpace, Bebo, hi5, Tagged, Netlog or Twitter by posting malicious messages from hijacked accounts. Computers infected with this malware join together to form a botnet, which is currently estimated to be one of the largest in the world, comprising over 2.9 million compromised computers in the U.S. alone. This new Koobface variant does not differ much from its past versions, at least as far as the social engineering component is concerned, suggesting that it is still a successful technique and that users are not educated enough. Spam messages posted on social networking sites from compromised accounts have links to pages allegedly containing videos. These fake pages ask unwary visitors to install a Flash Player update in order to view

the video, which is actually the worm’s installer. In order to make money using Koobface, its creators employ it as an installation platform for other malware, such as rogue security applications. These programs, also known as scareware or rogueware display bogus security alerts that inform the computer owner that his machine is infected, and in order to clean it, they have to acquire a license for the fake antivirus. One interesting aspect is that all these redirects occur through a list of predefined IP addresses and host names, including fire[expletive]eye.com and [expletive]briankrebs.com. These two domain names are direct references to a Washington Post journalist, who maintains the Security Fix blog, and the security research company FireEye. A message hidden inside a July variant of the worm ironically read “We express our high gratitude to a security consultant for the help in bug fixing, researches and documentation for our software.” This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations.