Koobface Worm Asks for Captcha

We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below.

When the user tries to play the YouTube video, the webpage gets redirected to:

hxxp://www.hs-limmattal.ch/{blocked}/

which pretends to be a Facebook help center page that, in an ironic twist, displays information on how to protect against the Koobface worm!

The user is then asked to download a setup file that purports to be a free anti-virus scanner. The file size is said to be 32.39MB, whereas the one actually downloaded is only 40.5KB in size. The download doesn’t stop here. The malware keeps on downloading many components that support it. It also checks for the latest copy of itself and downloads as needed.

This variant of Koobface also tracks the cookies on the user’s machine and tries to send them to a remote server.

One more trick the malware uses is it tries to break Captcha and then uses it to register for another Facebook account. The infected machine shows a Captcha window and then tries to deceive the user by showing the time out for shutdown. Koobface, however, does not shut down the user’s machine when the countdown timer finishes. Instead the user’s machine is locked until the Captcha is entered successfully.

After the user enters the Captcha correctly, a JPEG image of the Captcha is sent to the remote server (as shown in the image below):

The malware keeps asking for a response from the remote server; once it receives the response, a new account gets created. The account can be used for spamming or for any other activity as desired by the attacker. The same tactic is used for infecting Twitter, MySpace, and hi5 (all popular websites):

This new method of account creation is cheap, and there are dedicated Captcha administrators who will do this work for just a few cents.

This worm steals email credentials, FTP credentials, and IM application credentials. The encrypted stolen data is sent to the Trojan’s command and control server. The worm has also redirected user searches.

To get rid of the locked machine, users can follow this process:

• Press Ctrl+Alt+Del
• Go to Task Manager
• Then select Processes
• In Processes search for RUNDLL32.exe

• End that process

• Search for processes with names rdr_xxxxxxxx. End these processes as well.

These steps will kill the malware processes that are running the user’s machine and will unlock the machine.

McAfee Labs reminds users not to click on YouTube links from unknown sources and to not accept any requests from unknown users!