Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new variant of the Koobface social networking worm is sending social networkers links that lead to fake videos supposedly posted by the beloved cartoon antihero Spongebob Squarepants. The fake videos only display a popup message labeled “Adobe Flash Player Update” that says “This content requires Adobe Flash Player 10.37. Would you like to install it now?” Clicking anywhere on the page downloads the Koobface installer to the victim’s PC.

The technique isn’t new, but this is the first sign that the crew behind Koobface is switching from ‘holiday mode’ (when they sent around links to videos that were supposedly posted by Santa Claus) to ‘post-holiday mode.’

In other ways, the worm features a few small tweaks: Its Captcha tool, which attempts to convince infected users to enter the text of a captcha into a dialog box, has been modified to read and properly display the new ReCaptcha format used by some social network sites. The new format randomly places black circles ‘behind’ the text, and inverts the text of the captcha phrase where the text and black circles intersect.

The dialog box warns users that their PC will shut down if they don’t enter the correct information before a three-minute timer runs down, but users don’t have to worry: If you enter bogus information or simply let the timer run down, nothing happens. If you do enter the correct captcha, however, the component will send the captcha text to its distributed network of servers, which can use that information to bypass captcha controls and post links to the bogus videos.

Another recent innovation is that each infected PC will run a service called Webserver, which appears in the Task Manager as webserver.exe; In the process of installing this service component, the worm opens TCP ports 53 (used for DNS) and 80 (for www pages) so they’re no longer blocked by the Windows Firewall. Presumably this permits the Koobface operators to more easily control (and send commands to) infected machines.

The new variant is also using a new command-and-control server, at the domain u07012010u.com, so if you have the ability to block that domain at your gateway, you should.
wordpress blog stats

Tip of the hat to Threat Research Analyst Scott Manley for spotting this one.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This