January 20, 2010glhaldeman By glhaldeman

‘Spongeface’ Koobface Variant Uses Spongebob as a Tease

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new variant of the Koobface social networking worm is sending social networkers links that lead to fake videos supposedly posted by the beloved cartoon antihero Spongebob Squarepants. The fake videos only display a popup message labeled “Adobe Flash Player Update” that says “This content requires Adobe Flash Player 10.37. Would you like to install it now?” Clicking anywhere on the page downloads the Koobface installer to the victim’s PC.

The technique isn’t new, but this is the first sign that the crew behind Koobface is switching from ‘holiday mode’ (when they sent around links to videos that were supposedly posted by Santa Claus) to ‘post-holiday mode.’

In other ways, the worm features a few small tweaks: Its Captcha tool, which attempts to convince infected users to enter the text of a captcha into a dialog box, has been modified to read and properly display the new ReCaptcha format used by some social network sites. The new format randomly places black circles ‘behind’ the text, and inverts the text of the captcha phrase where the text and black circles intersect.

The dialog box warns users that their PC will shut down if they don’t enter the correct information before a three-minute timer runs down, but users don’t have to worry: If you enter bogus information or simply let the timer run down, nothing happens. If you do enter the correct captcha, however, the component will send the captcha text to its distributed network of servers, which can use that information to bypass captcha controls and post links to the bogus videos.

Another recent innovation is that each infected PC will run a service called Webserver, which appears in the Task Manager as webserver.exe; In the process of installing this service component, the worm opens TCP ports 53 (used for DNS) and 80 (for www pages) so they’re no longer blocked by the Windows Firewall. Presumably this permits the Koobface operators to more easily control (and send commands to) infected machines.

The new variant is also using a new command-and-control server, at the domain u07012010u.com, so if you have the ability to block that domain at your gateway, you should.
wordpress blog stats

Tip of the hat to Threat Research Analyst Scott Manley for spotting this one.

Share Button


  1. […] networking account into a mouthpiece for their own infection. Victims not only find that the worm sends messages to everyone they know, but that those messages invariably lead to files that can infect others. Sometimes the […]

  2. […] overall look and feel of the fake video has been static for some time, but the content changes periodically, and the current iteration of the page (which appeared this past April), […]

  3. […] a social network user’s friends a brief message with a short URL. Make the short URL point to a page that convinces the user to download and run a “codec” or a “Flash update” program. When the victim runs the “codec” installer, […]

  4. […] if you’re familar with this kind of fraud, it might fool you, too. I thought this was just the latest instance of Koobface at first […]