Twitter Worm/Virus Koobface

There are numerous reports of a new Twitter worm that steals your log-in information and spreads its evil cause. The worm comes in the form of a direct message from someone you may know, and maybe even trust.

The poster child for these attacks has been the Koobface worm, which has been circulating on Facebook and various other sites for several months. However, the term worm is something of a misnomer in this case, experts say, as Koobface in fact comprises a number of different components. In addition to the social networking propagation components, Koobface also now includes a network of malicious Web servers, URL checkers, a CAPTCHA breaker, a rogue antivirus program, data stealers and search-result hijackers, said Ivan Macalintal, a senior threat analyst at Trend Micro, in a presentation at Virus Bulletin 2009 here Thursday.

And that litany of capabilities doesn’t even include the botnet and associated command and control structure that Koobface has built. The botnet control is done over HTTP, and the updates that the Koobface authors make to the program, which sometimes happen as frequently as once a day, usually change the C&C structure, as well.

“It’s an unfinished product at this point and it’s in perpetual beta,” Macalintal said.

In June, Koobface still had just two main C&C servers controlling the botnet. A month later, after continued efforts from researchers to disrupt the botnet, the Koobface authors updated the infrastructure, adding a layer of proxies and making it more difficult to identify the specific servers controlling the bots.

Twitter Worm Spreading

Koobface also is now using blogs that are set up automatically, usually centered on a major news event and filled with entries with malicious links. The links lead to phishing sites or sites that host the Koobface malware itself.

And it’s not just Facebook that’s taking the hit. Twitter also has emerged a major target for attackers looking for phishing victims, personal information on potential victims and anything else that could be of use. There have been some incidents of botmasters using Twitter as a command mechanism, although experts say this is not of much use.

“It’s not the best means of command and control, because it’s easily blocked after detection,” said Costin Raiu, (above, right) a security researcher at Kaspersky Lab, who gave a joint presentation with Morton Swimmer (above, left) of Trend Micro, on Twitter attacks.

Raiu and Swimmer are working on separate projects analyzing the volume and nature of threats and attacks on Twitter by pulling tweets from the site’s public timeline and putting them through a variety of automated analyses. Much of the activity right now consists of spam from automated Twitter accounts, malicious URLs leading to phishing sites and porn.

Unsurprisingly, this issue has not been addressed by Twitter on their blogs, just as that huge exploit that was discovered last month wasn’t. Twitter should probably do a better job of communicating such problems to users before more people fall victim. Mashable notes that they did contact the company about the issue, and they are aware of it, and “on the case.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s