Koobface joined the Twittersphere, and the Twittersphere is fighting back. It’s good to see response from the social networking infrastructure.

Koobface has been distributed in prevalence for around a year now, with the ThreatFire community confident all along that their information is safe from the threat. In other words, if you want to keep it off of your system, careful of what you download and add a behavioral solution like ThreatFire to your system’s security layers.

The Koobface family has been distributed in a couple of ways since June/July 2008, increasing its prevalence to significant volumes in December of last year. It started out as a standalone worm menacing the massive volumes of social networking users across a handful of social networks, defeating captcha, and downloading more malware to compromised systems. Now, it is more frequently distributed as part of a malware package by attacking sites, alongside other payloads delivered by exploit pages hosted by malicious web sites: Virut, click fraud components, spambots (Waledac) and scareware. Koobface can be a secondary method of propagation for these various malware distribution groups.

So it was only a matter of time before the developers figured out that Twitter is another popular Web 2.0 medium. They also figured out that Tinyurl is one way to obfuscate malicious urls and distribute these urls across tweets.

These urls lead to the standard phony codec pages that is a trademark of the group. This time you’ll see “Video posted by -WizArD-”, the site remains up:

When setup.exe is downloaded and run from 98.217.161.163, the user of course does not install an Adobe Flash Player Update as promised. Instead, they get an updated version of the Koobface worm. Along with the worm, the compromised system eventually is redirected to a FakeAv offer, so the group can make its money:

This morning, accounts tweeting the “My home video ” message with a tinyurl leading to the “Video posted by -Wizard-” are receiving some cleanup attention:

The Tinyurl has been disabled as well.

This entry was posted on Friday, July 10th, 2009 at 7:51 am and is filed under Click Fraud, Koobface, Rogueware, Spam, Virut. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.