September 04, 2009, 7:33 AM — Security researchers are looking into not just how Koobface infects users’ PCs, but how its creators manage to spread the worm across popular social networking sites to maximize its effectiveness.
Not unlike enterprising Web sites that try to maximize page views, Koobface’s creators leverage SEO (search-engine optimization) techniques to achieve high levels of exposure.
According to a blog post on security vendor Finjan’s Web site, the malware automatically creates BlogSpot accounts and aims to attract maximum visitors by filling blog posts with the latest news from Google news feeds, which often include the most popular search terms.
Of course, the readers of these blogs gets much more than the latest news; scripts are embedded in the posts that redirect readers to a bogus Web site, such as a fake Facebook page, that attempts to download Koobface. If the site is successful in convincing visitors to download Koobface, the worm then creates new accounts on various Web sites.
It works its way around the CAPTCHA box by telling users of the infected PCs they must enter the correct text or their machine will shut down. Once the user responds, the new accounts are created and bogus blog posts are produced.
Proof that this technique works is readily available – Finjan says its researchers tracked the creation of one of these malware Web pages and found it attracted more than 150,000 users in two days.
Researchers at Symantec are also tracking the practices of the “Koobface gang.” They’ve found that the central server that is responsible for redirecting victims to infected PCs – where they then become infected – has been very successful in eluding take-down attempts.
The malware’s creators have been able to quickly replace domain names that fall under suspicious with new ones: over a three-week period Symantec saw 17,170 distinct IP addresses used. The researchers also noticed that members of the Koobface botnet are highly concentrated in the U.S., but also present in Europe and other parts of the world.
Do you tweet? Follow me on Twitter here.
