The family added to the March MSRT release is Win32/Koobface. This family is not just a worm, but a collection of different components that can each perform a different task. These include downloading, web hosting, password stealing, displaying popups and sending messages to contacts on various social network websites. Currently, the MMPC has observed targeted binaries for:

• bebo.com
• facebook.com
• friendster.com
• fubar.com
• hi5.com
• myspace.com
• myyearbook.com
• netlog.com
• tagged.com

Original variants, discovered circa May 2008, attempted to send messages to Facebook or MySpace contacts with message bodies such as ‘You should watch my latest video’ or ‘Watch my newest video’. The message and the domain of the hyperlink were hard coded within the body of the worm. Since then, Win32/Koobface has steadily evolved, with the ability to now generate messages from content supplied from a remote control server. The Koobface authors often use a ‘fake codec’ or ‘fake update’ as a lure. If one was to click on a hyperlink in a delivered message, they might see something that looks like the following:

Flash Player Update

In the modern age of fast-flux and bullet proof hosting for malware, you may wonder how a site such as the one depicted is hosted. The Win32/Koobface authors appear to have that covered via a component which acts as a web server. This allows the initial component to be hosted on numerous affected machines.

Variants of Win32/Koobface which attempt to send messages via social networking websites leverage the login credentials stored as browser cookies. However this is not the only way Win32/Koobface components try to manipulate and leverage their foothold on a given machine.

For example, the popup component can display dynamic content within a chrome-less Internet Explorer window. The MMPC has observed such popups used to ‘push’ trojans such as Win32/FakeXPA.

The often seen ‘fake scanner’

One particular component tries to ‘frighten’ users into solving a CAPTCHA. The screen darkens as if the operating system was commencing a shutdown and a dialog box is displayed with the message, ‘Time before shutdown’. The dialog includes a timer, which counts backwards from three minutes.

The screenshot below is missing the CAPTCHA image as it was staged

Another component of Win32/Koobface attempts to install itself as a local proxy by modifying settings of either Internet Explorer or Firefox. After this is accomplished, it monitors and reports back search queries requested from Ask, AOL, MSN, Yahoo or Google search engines. The possession of such information could potentially provide input for a blackhat SEO operation.

Many Koobface variants have the ability to download and execute arbitrary files. In some cases, variants of Win32/Nonaco may be installed. There is more than this circumstantial link which suggests that Nonaco is written by Win32/Koobface authors. The MMPC has also observed variants of the password stealer Win32/LdPinch installed on a machine affected by Koobface.

For a malware family which is best known for sending messages via social networking websites such as Facebook, we can see that the Win32/Koobface family encompasses a diverse set of components, each yielding distinct benefits to the operators. The MMPC will be keeping a close eye on the development of Koobface and associated components.

--Scott Molenkamp