If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.
I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.
It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits. And, in order to take on the appearance of a real online video, it uses Flash.
The overall look and feel of the fake video has been static for some time, but the content changes periodically, and the current iteration of the page (which appeared this past April), titled “Video posted by … Hidden Camera,” is still in use and hasn’t been updated since then.
On the video page, a user is encouraged to download and install a file the page claims is Flash Player 10.37 — never mind that Adobe only recently updated Flash to version 10.1 — which happens to be the main Koobface installer.
Continue reading (with screenshots) in http://blog.webroot.com/2010/09/07/fake-flash-update-needs-flash-to-work/