NEWS FROM THE LAB - Tuesday, December 9, 2008

You've Got Comment! Posted by Response @ 02:19 GMT

There's nothing like social networking sites to keep people connected and worms propagating — such as the all new and improved Net-Worm:W32/Koobface.CZ. A little infection equals a little comment in someone's little site somewhere.

This version of Koobface targets the following sites in its body:

– bebo.com
– myyearbook.com
– blackplanet.com
– facebook.com
– myspace.com
– friendster.com

It also has its own site, where it can query for more data, updates and of course the comments that it posts to the targeted websites. The site hosts plenty of comments (and of course the corresponding links) for the worm to use. Here are some of them:

– COMMENT: Are you sure this is your first acting experience?
– LINK: http://finditand .com/go/be.php?0e9c60ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: is it u there?
– LINK: http://findit12 .com/go/be.php?e7883ch7=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: impressive. i'm sure it's you on this video.
– LINK: http://find-notall .com/go/be.php?70dd4ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: How can anyone get so busted by a spy camera?
– LINK: http://find-allhere .com/go/be.php?50ch=d41d8cd98f00b204e9800998ecf8427e

– COMMENT: You're the whole show! i'm admired with you
– LINK: http://freemarksearch .com/go/be.php?ch23=d41d8cd98f00b204e9800998ecf8427e

Here's an example of one of the comment:

koob blog

And of course when the person clicks the link, out comes YouTube!

fake youtube

Er, I mean YuoTube... momentary dyslexia there... my bad.

koob title

Which of course contains an "update" for your Adobe Flash player, because the site is so sure that your player is outdated. Don't argue with its superior wisdom.

And when you execute that file in your system… well, let's just say you've gone and summoned his older brother — Net-Worm:W32/Koobface.CY.

Response team post by — Christine