Last week we reported that Twitter was warning users that the Koobface worm was now targeting their social networking site.
One thing that was noticeable about the attacks was that they were quite diverse for such a short space of time – some used shortened URLs, others didn’t, and we saw a fair range of messages to lure in users.
In other respects, it was interesting how little the attack had changed to the ones in past months.
Between the link you click and the malware you get, there tend to be a few stepping-stone pages. Just by looking at these we can see some of the scope of this worm – back in November 2008 we saw Koobface attacking Facebook, MySpace, Bebo, hi5, and GeoCities, and by February it was targeting Friendster and Tagged as well.
Here’s the code from one of the stepping-stone html pages we saw last week:
As well as Twitter, it looks like they’re expecting visitors from myYearbook and fubar as well. There have been a few cosmetic changes to the code, but the script is pretty much the same, and we still detect it as Mal/JSRedir-A.
Next you get taken to this page:
Yes, it’s a fake video page, which simply insists that you download a new codec or video player to access that video you’re simply desperate to see. We still detect this page as Mal/VidHtml-G – it’s an age-old con, but presumably people are still falling for it.
Finally you get taken to the malware itself, in this case called setup.exe. In fact we saw the exact executable file change several times, but we detect them as Mal/KoobHeur-A.
There are some key lessons here:
- Always be careful which links you follow, even when they appear to come from friends.
- Be cautious with short URLs – see Graham’s blog about a neat add-on for Firefox called LongURL which will help you look before you leap.
- If you browse with FireFox, consider installing NoScript – it will help try to keep you safe, in particular from scripts trying to do things without your say-so.
- Don’t install codecs or video player updates from random sites. Only install from sites you trust.
- Don’t assume your social networking site is safe – Koobface is constantly looking to cover more ground.
The battleground has changed, but the tactics definitely haven’t. Be sensible, and be safe.