Koobface tries to worm its way back onto Facebook
Beware the way the cookie crumbles
Published: 3 March 2009 12:45 GMT by Elinor Mills
Show related articlesFacebook has been hit by what's believed to be the fourth rogue app in a week or so and is said to be investigating the spread of a new variant of the Koobface worm.
According to security firm Trend Micro the Koobface worm spreads via a message from a Facebook 'friend' that includes a link to what looks like a video, Rik Ferguson wrote on the Trend Micro blog.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
The landing page displays the name and photo of the friend. Clicking the 'install' button redirects to a download site for the file "setup.exe", which is the new variant of Koobface dubbed Worm_Koobface.az.
Jamz Yaneza, a senior threat analyst and researcher at Trend Micro, said in an interview: "Previous versions didn't have all these complexities and automation built in. This new variant has a back end doing all the modifications."
Once the worm infects a computer it sends cookie information to a remote server, of which there are as many as 300 in the operation, Yaneza said. "Now you can use a third-party connection via the Facebook API," he said. The cookie information can include unencrypted log-in information, enabling attackers to masquerade as a legitimate Facebook user, he added.
The worm connects to a site using log-in credentials stored in the gathered cookies and sends messages to the friends of an infected user. It also sends and receives information from an infected machine by connecting to remote servers and allows attackers to execute commands on infected machines.
The worm is also targeting users of other social networking sites, including MySpace and Bebo Trend Micro said. An earlier version of Koobface hit Facebook in December.
A Facebook spokesman said the company is investigating the new variant of Koobface.
This comes after news of Facebook swatting down a similar rogue app late last week and another one a few days before that.
Trend Micro's Ferguson wrote in an email: "It seems that Facebook as an attack platform may be coming of age."
Facebook implemented an app verification policy late last year after getting criticised for not vetting its apps enough. But the security and privacy "seal of approval" policy is voluntary.
Trend Micro's Yaneza said it should be compulsory for all Facebook apps, like Apple vets all the iPhone apps.
Facebook's spokesman said the company is looking into the app and would disable it if it turns out to be deceptive or malicious.
"It is important to note that we've built security into the Facebook Platform by preventing any app, including the rare malicious app, from accessing sensitive information like contact info," he said in an email.
"Only a small percentage of Facebook users have been affected by security issues, including Koobface," he said. "We're updating our security systems to minimise further impact, including resetting passwords on infected accounts and identifying and deleting malicious content sent by the virus. We've posted a note about this on our security page to educate users."
Reader Comments (0)