Security researchers warn that the infamous Koobface social networking worm received and upgrade, which allows it to create and use Facebook accounts in a similar way a real person would. The new component also performs various checks in order not to arouse suspicion.
Koobface is a computer worm targeting the users of social networking websites. It spreads by hijacking or automatically creating bogus accounts and posting links to malicious web pages. The most common Koobface lure is the “intriguing video” trick, in which the user is enticed into visiting a malicious URL in order to see an online video.
However, on the landing page, the user is actually presented with an image mimicking an embedded video, which allegedly requires a special codec or Flash player upgrade to view. The executable server is actually the installer for the worm.
According to security researchers from antivirus vendor Trend Micro, a recent upgrade of the worm enhances it to automatically register Facebook accounts and activate them by visiting confirmation URLs sent to Gmail addresses, authenticate with the new account and join Facebook groups, as well as add new friends and post messages on their walls.
“Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others,” Jonell Baltazar, advanced threats researcher at Trend, explains.
Furthermore, the new version of the worm checks the maximum number of friends requests in order not to exceed it and arise suspicion. All the tasks are performed by automating Internet Explorer, but this will only work with versions higher than 6.
The Koobface authors are known for their ingenuity when it comes to devising new social engineering tricks or finding other ways of bypassing security protocols. In recent months, they have been very active in making their creation more resilient and effective. Back in August, Kaspersky analysts reported that the worm was updated with a URL-randomization algorithm and a better designed landing page.