Notorious Worm Seems To Have Stopped Spreading On Facebook


The notorious Koobface social networking worm seems to have stopped spreading on Facebook, much to security researchers' surprise.

According to experts from FireEye, which noticed the unusual change in behavior, the last time Koobface was seen spreading on the world's largest social network was on February 13.

"All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts.

"Our first impression was that it's just a temporarily move but a continued silence for about two months is not something that can be ignored," says FireEye security research engineer, Atif Mushtaq.

Koobface is one of the oldest and most successful social networking worms. It was originally created for MySpace, but later evolved to target many sites, including Facebook, Twitter, hi5, Bebo and Friendster.

The worm uses social engineering to lure users onto fake YouTube pages that distribute a copy of the malware as a video codec or Flash player update.

Koobface has usually been used for spamming and installating additional threats on infected computers, possibly as part of a pay-per-install scheme.

According to Mr. Mushtaq, this type of activity is still continuing at the moment, so the worm is not dead. It just stopped spreading on Facebook.

"Koobface C&Cs [command and control servers] are very much alive. We observed around 153 live C&Cs during last 7 days," the researcher says.

At the moment, Koobface is actually promoting rogue pharmaceuticals, like the painkiller tramadol, by opening browser pop-ups on infected systems.

FireEye believes the worm might have stopped spreading on Facebook because it was drawing too much attention to itself. This sounds like a good explanation, especially since the head of Facebook's anti-malware team, Nick Bilogorskiy, said last year that the company knows the identity of the Koobface authors.


Post a Comment