RSS Alerts

Share

More services

Related Links

  • Webroot
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Fake virus, worm and malware alerts target online shoppers
    With Thanksgiving out of the way in the US, and monthly salary earners having just been paid, online shopping has been soaring this week but, says Webroot, the IT security vendor, criminal malware authors are now targeting e-shopping in earnest with a variety of attacks.
  • Webroot reports on fake Verified by Visa phishing scam
    IT security vendor Webroot says that a phishing scam purporting to come from Visa, the international card issuer, is scamming internet users as they start their online shopping for Christmas.
  • Webroot reports tax return malware-infecting email scam reaching the UK
    Webroot, the internet security software specialist, reports that an Internal Revenue Service (IRS) tax email scam - in which US internet users have been emailed a malware-infected warning about under-stating their income or underpaying of tax - has arrived in the UK.
  • Rogue anti-virus scamware hitting hard, says Webroot
    Research by Webroot suggests that the rash of anti-virus scamware - which reports that the users' PC is infected, when it is not, and then requests a payment for registration - is sucking in a lot of internet users.
  • Webroot secures College of Law as new customer
    Fresh from offering its channel partners free training in Software-as-a-Service (SaaS) technology, Webroot has secured the UK's College of Law as a high-profile new customer for its cloud-based security services.

Top 5 Stories

News

Now Koobface creates its own malicious web pages

14 December 2009

Koobface - the long-running worm which first appeared 12 months ago - is being customised by hackers to crack security systems on website hosting services, and so allow it to auto-create its own web pages.

According to Andrew Brandt, a security researcher with Webroot, the auto-captcha utility has been greatly enhanced, allowing the Koobface worm to check whether an infected user has a Google or Blogspot account.

And, if theKoobface worm detects that an infected user does not have an account, the malware will create one automatically, he said.

Koobface is now also capable of creating Google Reader pages on the fly, allowing the worm to create infected web pages which can be cross-reference in messages and wall postings infecting more people, Brandt added.

In a security blog posting, Brandt said that the Koobface worm-generated Google Reader pages have been floating around for a little while now, but that he had never seen the worm in action - until now.

"What I found fascinating was that I could observe the process of the worm creating a new Google account on my testbed", he said.

"In order to create the Google account, it downloaded and ran four new applications: `v2googlecheck' simply looks at your browser cookies to determine whether you already have a Google account; `v2newblogger' creates a new account if one doesn't already exist; `v2captcha' prompts the user of the infected machine to enter a captcha into a dialog box that looks like a Windows login dialog (in order to complete the account creation); and `v2reader,' which creates the new page, and passes that information to the worm", he added.

Brandt went on to say that, once the Google account is created, the Koobface worm uses the account to generate a new, malicious Google Reader page.

"These worm-generated pages look identical, with the exception of the Google Reader user's name at the top of the page. Each of them appears to be a link to a Google Reader `shared items' page - files that Google Reader users can post for others to download. In this case, the shared item appears to link to a YouTube video, but the `video' link is just an animated GIF image", he explained.

According to Brandt, links to these Google Reader pages are what the Koobface worm posts - there is almost no way, he noted, for Facebook to keep up with new pages being created on-the-fly by the worm, and because this all happens at breakneck speed, the links often remain active for some time.

"As soon as it has created the malicious account, it logs out the user from the spontaneously-created Google account", he said.

Interestingly, Brandt noted that Facebook's user account mechanism used to be able to detect when an infected machine attempted to post these kinds of links, and locked out the account immediately.

With the use of these Google Reader pages, however, the links - and infected accounts - remain active for a much longer time.

"When the user clicks the `video' link in Google Reader, they're redirected to a different fake-video page. This page looks more familiar, because this trick (and a page with almost the same appearance) has been used for some time by Koobface", he said.

"The `video' on this second page is just a black box with a small message that says `This content requires Adobe Flash Player 10.37. Would you like to install it now?' In fact, the entire page is just a single GIF image. Clicking the video on this page - or anywhere on the page, for that matter - brings up a download dialog for a programme called Setup.exe. This programme is yet another Koobface installer", he added.

The final result, Brandt went on to say, is that the Koobface worm links to the spontaneously created Google Reader page on Facebook, Bebo, Twitter, Hi5, and a number of other networks and services on which the Threat Research team maintains a linked network of bogus accounts.

"For now, if you see links to Google Reader pages posted in your social network, keep your guard up. And if you see someone in your network posting these links, drop them a line to let them know they might be infected."

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012