Cross-platform worm targets Facebook users

A new member of the Koobface family of malware has been making the headlines in the last 24 hours. The reason why the threat, which is sometimes being referred to as “Boonana”, has been getting so much attention is that it doesn’t just infect Windows, but targets Mac OS X and Linux computers too.

 

This incarnation of the Koobface worm appears to have been spread via Facebook in messages asking “is this you in this video”.

 

IMPORTANT! PLEASE READ. Hi <username>. Is this you in this video here : <link>

 

Clicking on the link takes you to an external website that displays an image of a woman (grabbed from the Hot Or Not website).

 

 

Visitors to the webpage who want to see more are prompted to give permission for an applet called JPhotoAlbum.class to be run from inside a Java Archive (JAR) called JNANA.TSA.

 

 

Whether you are running Windows, Mac OS X or Linux on your computer, if you give permission for the highly obfuscated Java app to run then the malware will sneakily download a variety of programs from the internet which it will then execute on your computer.

 

Files which can be downloaded include:

applet_hosts.txt
cplibs.zip
jnana_12.0.tsa
jnana.pix
OSXDriverUpdates.tar
pax_wintl.crc
pax_wintl.zip
rawpct.crc
rawpct.zip
rvwop.crc
rvwop.zip
VfxdSys.zip
WinStart.zip

 

Sophos detects various components of the attack as Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

 

Don’t forget to always be careful about what links you click on, even if they appear to have been shared by someone you know on Facebook.

 

And if you’re a user of Linux or Mac OS X, don’t think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive of malware warnings on your preferred OS, the bad guys may consider you a soft target.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

 

 

Malicious contracts spammed out by hackers

All of us know how easy it is to accidentally send an email to the wrong address. If two people in your address book have similar names then your email client might make it all too simple to send a message to the wrong one.

 

For instance, I work with Carole, but a simple slip of the fingers or not reading carefully enough might mean I drop a note to Carla Bruni instead. (In my dreams..)

 

And it’s this kind of common inccident that cybercriminals are exploiting when they launch an attack like the one we are currently seeing in our worldwide network of traps.

 

This is a significant attack – the malicious emails are being spammed out enmasse to computers around the globe, claiming to contain contracts for the unsuspecting recipient to approve.

 

A typical message reads:

Dear ladies and gentlemen,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>

 

Subject lines used in the attack include:

• Rent contract
• Loan contract
• Contract of order fulfillment
• Permit for retirement
• Open an account
• Record in debit of account
• Contract of settlements
• Your new labour contract
• Open an account

 

The danger is that recipients of the emails might be curious and tempted to examine the attached file (called Contract_01_05_2010.zip) and end up infecting their Windows computer. And it’s possible that they might open the file out of the goodness of their heart, hoping that it will contain information that will help them identify who should have received the unsolicited message.

 

Sophos detects the attached malware as Troj/Invo-Zip and Mal/Koobface-E. Make sure that you keep your anti-virus software automatically updated, and always be suspicious of unsolicited emails.

 

Opening an unknown file on your computer could mean that you’re opening a backdoor for hackers to compromise and infect your PC.

 

By Graham Cluley, Sophos

8 Things You Probably Didn’t Know About KOOBFACE

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

 

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

 

by Ryan Flores from trendmicro

Pick Your Poison: KOOBFACE or FAKEAV?

The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

 

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

 

This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

 

Figure 1. Koobface Script

 

The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).

Removal of W32/Koobface.GJ Worm (Manual)

The Real Face of KOOBFACE

A year after its first discovery, Koobface is still generating a lot of noise, no thanks to its high activity level over the past several weeks. But one year is a long time for a malware to stay alive. Storm didn’t make it out of its first year. Waledac has been around for a while, but it sleeps and wakes up only when it wants to. But Koobface? It has continued to maintain its success and just seems to keep on improving.

 

Although not as large and widespread compared to Storm or Waledac during their heydays, Koobface is a revolutionary malware in the sense that it is the first Web 2.0 threat to enjoy continuous success, which is significant in a time when social network sites reign supreme.

 

This is why we see it as important that we understand this threat, because the computing landscape is evolving and user behavior is changing, and with a malware like Koobface threatening the computing landscape, it is a Trend Micro duty stay on top of these threats.

 

If you want to know more about Koobface, feel free to read our research here: The Real Face of KOOBFACE.

 

Koobface Tweets

Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

Read more