Facebook

Koobface is still going strong despite not making the headlines so much anymore. Well, the Koobface gang took the time to send a Christmas card and wish security researchers a happy new year. Very nice of them… For a couple of days now I’ve been looking at their infection method and trying to see any interesting patterns. The bad guys use bogus blogpost.com blog pages to redirect users to the actual Koobface malware. The redirection consists of several attempts to connect to compromised PCs, through their IP address. Below is a Fiddler log showing those attempted connections (in red are failed connections). Once a host has successfully responded, the users are redirected to a fake page prompting them to install a video codec. ...

Activities associated with Koobface have increased during the month of December. Often it is for the sending of traffic to compromised servers in order to obtain more servers. Other times the activity centers around using those same compromised servers to proxy users to malicious domains that are then used for further distribution of malware or command and control of the infected machines. I noticed a trend with some of the domain-based locations making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees” – these are domains that appear legitimate but are not. In fact, many of the domains that are being used were legitimate at one point and now are serving a different, more questionable purpose. ...

Hopefully, the holiday season has found you spending a good amount of time offline: enjoying moments spent with friends and family, keeping long-standing traditions or creating new ones to follow for seasons to come, or just relaxing due to some downtime from work or school. It wouldn’t come as much of a surprise, though, if you’ve still found yourself spending a fair share of your time during the holidays online: checking status updates and posting new pictures on Facebook, or sending and checking tweets on Twitter. And, why not? These networking sites are an easy way to connect and share with the people we care about. ...

Security researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting:

I was just looking at Facebook to check for spam and scams when I found this: I’ve blurred out a few things for privacy, and, most crucially, safety. The point of this post is the domain name. The spaces around the dot and the zero in “C0M” are just as they were in the original spam message. If spammers are going to the trouble to obfuscate their messages, it seems to show that Facebook’s spam filters are having some effect. Malformed links mean that you have to make an serious effort to actually go and visit the spammer site. And consequently, if someone’s going to go through all that trouble, they’re more likely to buy into whatever scam is at the other end. Click on the link, and you immediately get redirected, even though you won’t notice: ...

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right): This lead to the following questionable site, which had some very interesting comments on McAfee SiteAdvisor site: ...

Following on from the latest Captcha techniques used by the W32/Koobface worm, it seems that the malware authors have turned to Santa for help to deliver it’s nasty surprise which awaits Facebook users. The infection drops other trojans such as FakeAlert and leaves the user renderless. It all begins with a post on a user’s Facebook Wall. If the user clicks on the link, they are presented with a fake video player with a Christmas greeting as shown below ...

There were two news stories recently that seemed to coincide. In the first, Cisco issued an annual security report which said the two current targets of the Internet criminal underground are banks and social networks. Banks because, well, we all know what they keep there. Social networks are targets because that’s where weakly protected password databases are kept and the passwords they contain probably are used on a lot of other sites as well. ...