Published: June 16 2009, 01:17 AM
by Ricardo Robielos III

Social networking sites are extremely popular these days and, not surprisingly, the latest variant of Win32/Koobface is still taking advantage of this popularity by using these sites as an attack vector.

A variant of Koobface is currently active (as of this posting), sending massive spam messages in several social networking sites such as FaceBook.com, MySpace.com, Friendster.com, Hi5.com, Bebo.com, Fubar.com, MyYearbook.com and Tagged.com.
 
This variant connects to the malicious server "UPR15MAY.COM" to get the information details for its spam messages to be sent to contacts of affected users who access any of the above mentioned social networking sites, with sample messages sent shown below:

For FaceBook.com:

[Sample Facebook Post]
 

[Sample Facebook Message]

For Facebook, this malware connects to "upr15may.com/fb" to generate the spam details to be sent.

For MySpace.com:

[Sample MySpace Message]

For MySpace, this malware connects to "upr15may.com/ms" to generate the spam details to be sent.

For Friendster.com:

[Sample Friendster Message]

For Friendster, this malware connects to "upr15may.com/fr" to generate the spam details to be sent.

For Hi5.com:

[Sample Hi5 Message]

For Hi5, this malware connects to "upr15may.com/hi" to generate the spam details to be sent.

For Bebo.com:

[Sample BeBo Message]

For Bebo, this malware connects to "upr15may.com/be” to generate the spam details to be sent.

For Fubar.com:

[Sample Fubar Message]
 

For Fubar, this malware connects to "upr15may.com/fu" to generate the spam details to be sent.

For MyYearBook.com:

[Sample MyYearbook Message]

For MyYearbook, this malware connects to "upr15may.com/yb" to generate the spam details to be sent.

For Tagged.com:

[Sample Tagged Message]

For Tagged, this malware connects to "upr15may.com/tg" to generate the spam details to be sent.  

We did a simple curl POST command to the malicious server to obtain a list of spam messages that this worm may generate, giving us the following details:

Title/Subject: (Any of the following)

•  :)
•  ;)
•  HA-HA-HA!!
•  L.O.L.
•  lol
•  OMFG!!!
•  W.O.W.
•  WOW

Text/Body: (Any of the following)

•  A--ha-ha, i saw yoour ass in the internet!! lol
•  Be more careful next time and get caught again!
•  Can anyone get busted, or is it just you?
•  Dammn! Haaven’t you seeen our secrett caamera?
•  Enjoy your first acting experience in our movie.
•  Got yoou! Ha--ha, now watcch and crry!
•  Hey ddude, yoou’re on candiid cammera!
•  I caan’t beelieve you diddn’t see the ssecret cammera!
•  Laaugh at oother people?? LLook at yoursself!
•  Man, you're great! See yourself naked, lol XD
•  Oh, what a shame, your ass is on our tape.
•  Prrivate viideo wwith yyou. funnny
•  YYou're so ppretty ggood on thhis vvideo.

… Or see the other list here

Malicious redirected Links: (Any of the following, please do not visit this sites)

•  hxxp://28680.yoyo.pl/extrimevideo/
•  hxxp://anilkapoor.net/amaizingdemonstration/
•  hxxp://baldom.yoyo.pl/privatevids/
•  hxxp://budget.user.kz/uncensoredvideo/
•  hxxp://canibals.ic.cz/coolclips/
•  hxxp://kuzmi4.110mb.com/uncensoredmovie/
•  hxxp://lambord.ic.cz/publicmovie/
•  hxxp://mediawork.ru/uncensoredmovie/
•  hxxp://punks.110mb.com/publicdvd/
•  hxxp://quicksilverr.110mb.com/freefilm/
•  hxxp://topwoman.intway.info/publictube/
•  hxxp://uc2qasimabad.com/freeclips/
•  hxxp://www.tangoballet.com/uncensoredvids/
•  hxxp://yarentextil.com/funnyfilm/
•  hxxp://zbanglabd.com/uncensoredshow/
•  hxxp://zidacilbin.tym.cz/privatefilm/
•  hxxp://zkouskafora.ic.cz/funnyfilm/
•  hxxp://zoghetaze.com/amaizingmovie/

… Or see the other list here

The spam messages contain a malicious link that accesses a Java Script. (See figure below. We detect this Java Script as a JS/Redirector variant)

This JavaScript redirects web browsers to a fake Video site ("YuoTube" misspelled) to download a file "setup.exe", which is also a variant of Win32/Koobface. This other variant may also download other malicious files such as Rogue Antivirus programs.

We advise users to avoid opening these spam messages when visiting their favorite social networking site and to always keep their CA Antivirus Product up-to-date with the latest signature files.

Share this post:  Email

Share