A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook.Â Users reported receiving spam messages, such as:
When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.Â Next the user is prompted to download/open flash_player.exe, a new Koobface variant.
If the user choose to install the executable, a fake error message is displayed.
Facebook is already aware of this threat and is purging the spammed links from their system.Â But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better.Â It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms.Â The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know.Â Only in this context, it must be expanded to the following:
|Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know.Â It’sÂ best to ask for confirmation from the sender; that theyÂ intentionally sent such a link.|
|On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website.|
As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.Â Â ThisÂ component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results.Â Search terms are directed to find-www.net.Â This enables ad hijacking and click fraud.