New worms target both MySpace and Facebook users
Kaspersky
Lab, a leading developer of secure content management systems, has
detected two variants of a new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b,
which attack MySpace and Facebook respectively. As part of their
malicious payload, the worms transform victim machines into zombie
computers to form botnets.
Even though the worms are currently
only infecting MySpace and Facebook users, Kaspersky Lab analysts are
warning users that the worms are designed to upload additional
malicious modules with other functionality via the Internet. It is
highly probable that victim machines will not only be used for
spreading links via these social networking sites, but the botnets will
also be used for other malicious purposes.
Net-Worm.Win32.Koobface.a
spreads when a user accesses his/her MySpace account. The worm creates
a range of commentaries to friends' accounts. Net-Worm.Win32.Koobface.b,
which targets Facebook users, creates spam messages and sends them to
the infected users' friends via the Facebook site. The messages and
comments include texts such as Paris Hilton Tosses Dwarf On The Street;
Examiners Caught Downloading Grades From The Internet; Hello; You must
see it!!! LOL. My friend catched you on hidden cam; Is it really
celebrity? Funny Moments and many others.
Messages and comments on MySpace and Facebook include links to
http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to
http://youtube.[skip].ru,
a site which purportedly contains a video clip. If the user tries to
watch it, a message appears saying that s/he needs the latest version
of Flash Player in order to watch the clip. However, instead of the
latest version of Flash Player, a file called codecsetup.exe is
downloaded to the victim machine; this file is also a network worm. The
result is that users who have come to the site via Facebook will have
the MySpace worm downloaded to their machines, and vice versa.
“Unfortunately,
users are very trusting of messages left by 'friends' on social
networking sites. So the likelihood of a user clicking on a link like
this is very high”, says Alexander Gostev, Senior Virus Analyst at
Kaspersky Lab. “At the beginning of 2008 we predicted that we'd see an
increase in cybercriminals exploiting MySpace, Facebook and similar
sites, and we're now seeing evidence of this. I'm sure that this is
simply the first step, and that virus writers will continue to target
these resources with increased intensity”.
Kaspersky Internet Security detected these threats proactively and signatures were added to the database on July 31, 2008.