Koobface kicks off another run – new tricks for an old dog
by Steve Ragan - Aug 6 2009, 19:30A Kaspersky Lab blog post has highlighted a new wave of attacks recently launched by the Koobface family of Malware. Kaspersky researcher Stefan Tanase points out that this new Koobface campaign is using some old tricks with a new twist.
To start, Tanase explains that the new run from Koobface is using a fresh and improved destination page -- Previous Koobface runs used a poorly designed YouTube knockoff. Now there's a new Facebook page, and one that's “very well designed,” he noted.
The image below is the one Tanase posted, as you can see the Facebook spoof is rather detailed. This is likely to help the criminals in the long run, as users unfamiliar with such tricks could easily be snared by the lookalike scam.
(IMG: Kaspersky Labs)
While the new destination page is an obvious improvement, the criminals behind the latest Koobface attacks are still using the old method of infection. The spoofed Facebook page prompts visitors to download and install an “update” for Flash Player. As seen in previous Koobface attacks, there is always something to update or download and install (such as a codec). However, similar warnings for Flash Player updates have been used in the past as well.
While it’s hard to imagine anyone downloading and installing software from an untrusted source, the fact remains that most online users are familiar with the Flash Player platform and might fall foul of following an update link... which, in short, means this method of attack still works.
Another new trick with this latest Koobface attack is related to Twitter. This is also proof that the method of install being used by Koobface is effective. The image below is a screen shot from Twitter’s search. The posts are all Koobface related (a live example of this search can be found here).
“Koobface is now sending unique tweets. Messages sent in previous attacks were all the same,” wrote Tanase. “Now there's a random component being added, with strings like "HA-HA-HA!!", "W.O.W.", "WOW", "L.O.L.", "LOL", ";)" or "OMFG!!!" at the end of each tweet.”
Aside from the random message content, the URLs are all randomly generated.
“They are also adding a random component to the Koobface landing page so now, the URL gets shortened to a different bit.ly URL each time,” Tanase added.
While there is no proof it is related, it's interesting to note that this new Koobface attack started on the same day Twitter suffered a Denial-of-Service (DoS) outage.
The Tech Herald has been following the Twitter DoS issue, and will keep that story updated.
“Distributed denial of service attacks happen for a variety of reasons,” wrote McAfee’s Joris Evers in an e-mail to The Tech Herald.
“In this case it could simply be for the notoriety of taking down a high profile Web site like Twitter.com, but it may also be for more nefarious reasons such as political motivations or to extort money,” he said. “Hacktivism and extortion schemes are common online, the equivalent of disruptive protests in the streets and ‘protection money’ in the brick and mortar world.”
“While still common, most DDoS attacks today aren’t as high profile as they were nearly 10 years ago. Back in 2000 e-commerce giants eBay, Amazon.com and Buy.com, along with Yahoo, news site CNN.com, online trading sites E*Trade and Datek, and technology information provider ZDNet reported similar attacks,” added Evers. “The sites were down, sometimes for days, and the FBI held press conferences about the spate of attacks.”
According to Kaspersky researchers, there are over 100 unique IP addresses linked to the new Koobface run. They are working to get them taken down.
The Tech Herald: Twitter suffers DoS attack - floodgates of hype open
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.
Comment on this Story