Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Koobface Worm Infections Rising
Widgets & RSS FeedsKoobface, an anagram of Facebook, is a PC worm that targets the users of popular social networking sites such as Facebook, MySpace, Twitter, etc. First detected in December 2008, it gathers personal information from its victims.
Zscaler has seen a lot of Koobface activity in the past where numbers of new domains are used to download malicious binaries. On Sunday the company reports that it observed an increase in network traffic of the Koobface worm to 122 unique command and control (C&C) servers.
According to Zscaler, the worm spreads via social engineering attack. “A user visits an infected friend’s profile and then clicks on the link. The link shows the video being displayed but shows an error message like ‘your flash player is out of date’ and you have to download a new update. The innocent user clicks on the download link thinking that it is a real flash player update and ends up getting the worm on their system.”
In recent weeks, the Kaspersky Lab research team has observed the Koobface live C&C servers shut down or cleaned, on average, three times per day. According to the lab, “the number dropped steadily from 107 on February 25, to as low as 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142, precisely doubling its total number, which all Koobface-infected computers use to get remote commands and updates.”
Stefan Tanase, senior regional researcher for Kaspersky Lab EEMEA believes this activity offers insight into how the Koobface gang takes care of its infrastructure. “Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They don’t want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. When the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones. The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 C&C servers are online, the Koobface gang is relaxed. They also prefer to have their C&C servers distributed across the globe and with different ISPs, in order to make the take-down process harder. However, most of the Koobface C&C servers remain in the United States.”
Kaspersky Lab offers these reminders:
- Be cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.
- Use an up-to-date, modern browser: Firefox 3.x, Internet Explorer 8, Google Chrome, Opera 10 etc.
- Divulge as little personal information as possible. Do not give out your home address, telephone number or other private details.
- Keep your antivirus software updated to prevent new versions of malware from attacking your computer.
