Barely had facebook got a chance to revive itself from the last two attacks in a single week, another rogue application was seen making its rounds. This time, the end user was lead to a fake youtube site, complete with comments and all.

Once you click the Install button takes the user to download a “setup.exe” file which is the actual Koobface variant (WORM_KOOBFACE.AZ).

Once the worm infects a computer it sends cookie information to a remote server (about 300 different IP addresses have been found). Facebook API now support third-party connections, and the cookie information that is sent to the server contains all unencrypted log-in info, which enables the attacker to pose as an actual user.

TrendMicro has posted an article on this in their blog, and advises users to “refrain from clicking links in unsolicited messages, even out of curiosity.”

Currently Facebook is not the only one which is hit. The worm targets social networking sites such as hi5.com, friendster.com, myyearbook.com, myspace.com,
bebo.com, tagged.com, netlog.com, fubar.com and livejournal.com. The worm connects to the site, logs in as a legitimate user with the cookie information that was gathered, and sends messages to the people in the profile. If a machine is infected, information is gathered from the machine as well, enabling the attackers to execute commands on those machines.

Facebook spokesman Barry Schnitt said the company is investigating the new variant of Koobface.

Popularity: 1% [?]