How Koobface has evolved to stay a step ahead
Posted on | March 4, 2010 | 1 comment
By Byron Acohido
March 4, 2010 p2A, USA TODAY
The Koobface worm is a case study of how swiftly cybercriminals react to emerging trends. Koobface first appeared in the fall of 2008 just as social networks were getting hot. Its creators initially sent Facebook users friendly messages asking them to click on a link to see a video.
Doing so called up another message asking the recipient to click on an executable file — a small computer program — needed to upgrade a video player required to view the video. In a classic bait-and-switch, clicking on the file instead turned over control of the PC to the attackers. The worm then automatically sent similar viral messages from the victim’s account to his or her Facebook friends.
TECH THREAT: How cybercriminals invade social networks, companies
Persuading someone to click on the malicious file was huge; it meant the victim was intentionally choosing to run the bad code. So no actual hack of the computer’s hard drive was needed. “They’ve tricked you into doing their dirty work,” says Chet Wisniewski, senior analyst at anti-virus firm Sophos.
Koobface’s controllers continually refine their pitch, often tying come-ons to celebrity news; they’ve pioneered new ways to quickly alter the bad code just enough to counteract antivirus filters designed detect malicious programs and block them.
And they’ve aggressively extended their attacks to large and small social networks, including MySpace, Twitter, Hi5, Bebo, MyYearbook and Friendster. “Their inventiveness is astonishing,” says Sergei Shevchenko, senior researcher at anti-virus firm PC Tools.
Thus far, the gang has been content to generate revenue mainly by routing promotions for worthless anti-virus protection or fake drugs to each computer they infect. “The business model is simple, ‘low-effort, quick money,’ ” says Shevchenko.
But there is little stopping Koobface’s controllers from renting out infected PCs to other criminals, a common practice. “Horse-trading between botnet operators may result in changes in the way the victim’s computer is used over time,” says Gunter Ollmann, vice president of research at security firm Damballa.
Comments
1 Comment »
RSS feed for comments on this post.
Here’s a good whitepaper on the subject of blocking social networking apps. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.)
http://bit.ly/9f8WOT
IT departments are stuck between a rock and a hard place. They know that end-users and the business units will revolt if these apps are outright blocked. At the same time, they know these apps carry risks and can’t leave them unchecked. It requires a good balance between enablement and security.
Comment by Lisa Valentine — 4/7/2010 @ 12:53 pm