Friday, September 11, 2009

What's Old is New...

There are hundereds of products that promise to "rejuvenate" our older population, remove wrinkles, or just plain make you "feel younger." These are items that attempt to "turn" the older people into "new." Most of these products, I think, are junk and do nothing but cost money.

However, there is a much larger problem with older now being new. For those unaware, old malware that continually resurfaces in an attempt to trick people into bad situations. These old-turning-new products are doing more than costing money. A recent example of this is the re-appearance of the Koobface virus on Facebook.

The Koobface virus has been around for awhile and yet it continues to be used. Facebook has reports from last year about it, and yet it is still rearing it's ugly head. Specifically, I have seen it three times in the last week:
1) A friend of mine posted to my wall a warning that an Facebook email had been sent from her account, linking to a video, that she didn't send it, and that she knew it was malicious.
2) I recieved an email from the same friend that contained a different video link. However, from some of the text in the message, I knew it was fake/spoofed.
3) A posting went on my wall yesterday, to a third video, and by the same friend's account.

Having faith in my setup at home, I decided I would follow the link on the wall posting. Sure enough, a "new" facebook page opened. This new page had a video player in the middle of it, with a message window telling me that I needed to Update my Flash Player Plugin. About 2 seconds later, a new window opened with nothing more than an obfuscated string of about 20 characters. It was then that Norton kicked off the big warning. I made note of the URL in the new window, clicked "view info" in my Norton warning, and then closed out the bad browser window.
For giggles, I clicked the movie link on my facebook page again. The exact same sequence of events happened, as expected, with one BIG difference: the URL in the new window had a different top level address. The initial URL started with 67.X.X.X and the second time I followed this malicious link, the URL began with 74.X.X.X. I didn't bother with a third time.

From what I have read on other blogs and sites, had I clicked the "upgrade flash plugin" option on the first pop-up (fake Facebook page), and clicked OK to the download, I would have invited trouble into my electron world.

Additionally, the second, almost blank window that pops-up with an obfuscated string is actually attempting to autodownload the Koobface virus as well. For more information on Koobface, check out:
http://sunbeltblog.blogspot.com/ (September 10, 2009 posting)
http://www.pcworld.com/article/155017/facebook_virus_turns_your_computer_into_a_zombie.html
http://www.scmagazineus.com/Koobface-spreading-through-thousands-of-IP-addresses/article/147964/
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23370

I should also note that this worm is infecting (ed) more than just Facebook. MySpace, Twitter, some blogs , and other Social Networking sites. The last link above provides some information on how to get rid of this "bad boy" should you become infected.