Web 2.0 malware explodes in June

Johannesburg, 09 Jul 2009

June 2009 is an important milestone in the history of social networking malware, with an explosion of Koobface modifications taking place, according to Stefan Tanase, security researcher, global research and analysis team at Kaspersky Lab Romania.

He says malicious activity in the past month is the ultimate confirmation that the strategy of spreading malware through social media is paying off for cyber criminals.

The number of variants found leaped from 324 at the end of May to nearly a thousand by the end of June, a phenomenon Kaspersky attributes to summer and the holidays in the northern hemisphere.

Tanase says although the number of malicious programs usually slows down over the summer, the traffic on social networks like Facebook usually rises as people have more time to get in touch with friends, upload holiday pictures, and suchlike.

“However, in the case of Koobface, the growth rate we've seen in the last month exceeds by far any expectation. This is most likely caused by the fact that cyber criminals are realising how effective malware spread by social networking really is.”

When asked if he sees the malware slowing down post-holidays, he says when criminals realise how effective it is, they will focus their resources on squeezing as much return from their investment as possible.

“Malware is no longer developed for fun or fame, it is only profit-driven. So, just like a legitimate business would try to push their most successful product to as many markets and potential clients as they can, the criminals behind Koobface will continue to take as much as they can from this new attack vector: the Web 2.0 world.

“When everyone right now must have a Facebook page, Twitter account or similar, the pool of potential victims is growing day by day. So naturally, cyber criminals are going to target these sites more and more.”

Scareware

Tanase says there is no clear direction cyber criminals choose in terms of profiting from these attacks, adding that one of the most popular methods used recently is scareware, or fake anti-virus solutions.

“What these rogue anti-virus products do is mislead the user into believing his computer has severe problems, immediately asking for money in order to supposedly fix everything. The amounts usually requested are anywhere between $30 and $80.”

He says this is only one of the ways cyber crooks can profit. “When talking about Koobface, the monetisation methods are something classic, nothing necessarily new. They can make money by selling parts of their botnet, using pay-per-install services, stealing log-in credentials, sending spam or launching DDoS attacks. What is different with Koobface is the new way they're using to infect computers: social engineering in the Web 2.0 world.”

The notorious Koobface worm was first detected by Kaspersky a year ago, becoming instantly widespread and targeting Facebook and MySpace accounts. Tanase says it spreads through a genuine user's account to their friends' profiles. Comments and messages sent by the worm contain a link to a fake YouTube-style Web site which invites users to download a “new version of Flash Player”. The worm, rather than a media player, is then downloaded to victim machines. Once a user is infected, he or she will start spreading such messages to his or her friends.

In conclusion, he says there are several ways social networkers can help avoid falling victim to one of these attacks. “Be careful when opening links coming through suspicious messages, even should they come from a trusted source. Use Firefox with NoScript installed, or Internet Explorer 7 running in protected mode.

“Divulge as little information as possible, and do not give out personal details such as a home address, phone numbers and similar. Finally, keep yourself protected against new malware by updating your anti-virus regularly.”