Kaspersky Lab has found that two worm variants, Networm.Win32.Koobface.a. and Networm.Win32.Koobface.b, have been targeting MySpace and Facebook users.The worms upload extra malicious modules with other functionality via the Internet, so might not only be targeting the two social networking sites for long.
“It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes,” says Alexander Gostev, senior virus analyst at Kaspersky Lab.
NetWorm.Win32.Koobface.a spreads when users access their MySpace account. “The worm creates a range of commentaries to friends’ accounts, says Gostev.
He explains that NetWorm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site.
The messages and comments include texts such as ‘Paris Hilton Tosses Dwarf on the Street’; ‘Examiners Caught Downloading Grades from the Internet’; ‘Hello; you must see it!!! LOL. My friend caught you on hidden cam’; ‘Is it really celebrity? Funny Moments and many others’.
“Messages and comments on MySpace and Facebook include links to YouTube.[skip].pl. “If the user clicks on this link, they are redirected to http//YouTube.[skip].ru, a site which purportedly contains a video clip,” warns Gostev.
If the user tries to watch it, a message appears saying that they need the latest version of Flash Player in order to watch the clip. “However,” warns Gostev, “instead of the latest version of Flash Player, a file called codesetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.”
“Unfortunately, users are very trusting of messages left by ‘friends’ on social networking sites. So the likelihood of a user clicking on a link like this is very high,” Gostev concludes.