By Andrew Brandt
The latest generation of Koobface targets its particularly effective brand of social engineering at more social networks than ever. As the worm has evolved, we’ve seen it grow to encompass a pantheon of services, targeting more than just the widely publicized Facebook, MySpace, and Twitter, but a host of other Web sites where people meet and (apparently) post links of funny videos for one another to watch.
To illustrate how pervasive the worm has become at propagation, we put together the video below. (And no, you don’t need to download some random codec to watch it, just Flash.) If you’ve got two minutes, check it out, but to get the best view, maximize the video window first (click the little “X” next to “vimeo” in the lower-right corner):
For our test, several members of Webroot’s Threat Research team created profiles on the social networks Koobface attempts to infiltrate, logged into those accounts on test computers, then executed the worm’s main installer application.
The worm checks to see which sites among the ones it targets that you’ve logged in to, and downloads specific payloads for each social networking site it targets. That makes sense: Each of those social networks has its own distinct user interface, which the payload targeting that site interacts with. But the sites all have one thing in common: They all permit members to send one another messages containing hotlinked URLs. And that’s what Koobface is best at: Propagating itself by sending links. Nothing surprised us more than finding that we could actually watch the worm interacting with the interface, filling in forms and clicking buttons, as we stared at the screen.
The content of the messages were typically brief: Message text sometimes consisted of a single acronym, like “LOL,” and at other times a short phrase, such as “Sweet! Your booty looks great on this video!” or “You were sighted on our secret camera!” Smileys accompanied most of the messages, and because everyone knows that malware doesn’t smile or wink, it was a perfect disguise.
On Twitter, the worm merely posts a new tweet, once during the initial infection, and periodically thereafter (with the tweeted links using link-shortener services like bit.ly to obfuscate the destination).
On MySpace, the worm changes the account user’s “Status” by modifying the text and adding a link (which MySpace helpfully obfuscates by changing the link to one that uses its own automatic URL shortening service). Facebook users get a triple-threat: The worm posts links on the infected user’s wall, posts different links on the walls of the infected user’s friends, and also sends yet a third link to all of the infected user’s friends through the service’s Compose Messages page.
In Bebo, Netlog, Hi5, and other services, the worm sends short, private text messages and URLs to all of the user’s friends, but it doesn’t appear to interact with other aspects of the user’s account profile. After it sends these messages, the worm then goes into the sent-messages folder and deletes the record of the message out of the account. Curiously, on the Bebo service, Koobface also attempted to send one of its links to the site’s support team through the user-to-user messaging interface, but the site rejected the message with an error that indicates that the support staff no longer can receive messages in this way. I guess they got tired of getting infected.
The sites also behaved differently, depending on whether they detected funny business: Facebook periodically locked out the account of the infected users, until those users logged in again from another computer. MySpace not only locked out an account, but forced the account holder to change the password. Of course, when we did that on the infected machine, we also provided someone with our account credentials. Overnight the following night, someone tried to log in to that account and change settings that would have permitted them to take control of the account, but MySpace once again locked the account and we had to change the password a third time. When we logged back in, the service displayed a message warning us that our account had been phished.
Several of the sites appear to use algorithms that flag private messages containing URLs, and challenge the worm to fill in a captcha field. According to reports published online, one of the payloads the worm has downloaded in the past has the ability to break captchas, but we didn’t observe this behavior. So on those sites, including Bebo, Tagged, and MyYearbook, the messages were created but never sent because the captcha blocked the process and the “captcha breaker” didn’t appear to be present, or didn’t work.
In fact, Koobface appears to have become a “brand name” in malware; its unfortunate prominence means we’re likely to see more evolutionary changes in its propagation methods and payloads the months to come, so please treat every social networking link with caution — especially the ones promising a link to a video.
Special thanks to Christoph Keller for giving us permission to use his masterful piano performance in our video.