Over the past several weeks we have been seeing a big increase in the number of malicious spam emails. A large portion of these are aiming to install rogue anti-virus software on victims’ machines and install bots to send more spam. However, spam isn't the only effective way for criminals to spread malware. About a week ago a new worm, named Koobface, was identified that used the social networking sites MySpace and Facebook, to propagate by sending links to infected users’ friends.
After clicking on the link the user is taken to a website that is similar to the YouTube website. The profile picture of the Facebook friend who’s account the link was sent from is included in this page to make it look as if they posted this video.
If JavaScript is enabled the user will be prompted to download the file codecsetup.exe. This is the Koobface worm which will attempt to send links to everyone on its new victims’ friend list.
This website also uses the web tracking service extremetracking.com, which provides statistics about visitors to the website. This particular account at Extreme Tracking is the free account which allows public access provided you know the login name which is included in the tracking code on each website being tracked.
The tracking statistics for the Facebook campaign can tell us how fast this worm is spreading and what countries are most affected. As you can see this worm has been spreading rapidly over the last two days.
These numbers only represent unique visits to this website and not actual infections of the worm, however the number of visits increases as more people infect themselves and spread links to their friends.
As well as attempting to spread, installers for three different rogue anti-virus programs are also added to the desktop and a fake Windows Security Center window is opened asking the user to install a suitable anti spyware program and listing three alternatives.
The authors of this worm are likely generating revenue from installations or purchases of these products.
Users should be just as vigilant when clicking on links sent to them over social networking sites as with email. It is also important to keep browsers and plugins up to date as many websites pointed to by malicious links attempt to exploit vulnerabilities in these.
