Koobface started life compromising Facebook accounts. It gained massive notoriety afterward by attacking Twitter accounts in addition to Facebook. It then diversified to attack various social networking sites including MySpace, Bebo, hi5, GeoCities, Friendster among the prominent ones.
Recently I came across what could possibly be the next iteration of Koobface, W32/Koobfa-O, which came with Skype hacking functionality and some additional promises for the future. The new variant of Koobface attacks Skype accounts on the compromised machine to get various pieces of information about the victim using the different Skype API commands. The following screenshot demonstrates a few:
W32/Koobfa-O collects information about the user such as HOMEPAGE, ABOUT, PHONE_MOBILE, PHONE_OFFICE, PHONE_HOME, CITY, COUNTRY, BIRTHDAY, FULLNAME, PSTN_BALANCE etc. The collected information is dumped into a file which is packed as a RAR archive and either emailed or uploaded to a remote server. The worm then logs on to Skype chat as the user and starts a conversation with friends online. In the body of the worm there are snippets of conversation in 18 different languages including some Asian languages. The following screenshot shows a snippet of available conversation items in English:
I initially expected that there might be some lexical analysis being done to talk somewhat intelligently with the person at the other end of the chat, but it seems the worm pastes conversation pieces fairly randomly. This will be because the worm supports conversation in 18 languages, and it is too complicated to do a lexical analysis for the different languages. It is easier to just randomly chat. The worm will also paste a link to a compromised domain in the chat conversation, visiting which will download W32/Koobfa-O.
W32/Koobfa-O also does something which promises upcoming functionality in the future.
Koobface already attacks Facebook and MySpace, so those two on the list are no big surprises. The list contains new additions: blogger.com, wikipedia.org, youtube.com, yahoo.com and google.com. The worm doesn’t do much except look to see if some information (possibly credentials) exists for these domains. But is this a promise for the future? Clearly as social networking and collaborative sites/tools multiply in number and become bigger, more malware will attempt to take advantage of them.