January 20, 2010glhaldeman By glhaldeman

‘Spongeface’ Koobface Variant Uses Spongebob as a Tease

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new variant of the Koobface social networking worm is sending social networkers links that lead to fake videos supposedly posted by the beloved cartoon antihero Spongebob Squarepants. The fake videos only display a popup message labeled “Adobe Flash Player Update” that says “This content requires Adobe Flash Player 10.37. Would you like to install it now?” Clicking anywhere on the page downloads the Koobface installer to the victim’s PC.

The technique isn’t new, but this is the first sign that the crew behind Koobface is switching from ‘holiday mode’ (when they sent around links to videos that were supposedly posted by Santa Claus) to ‘post-holiday mode.’

In other ways, the worm features a few small tweaks: Its Captcha tool, which attempts to convince infected users to enter the text of a captcha into a dialog box, has been modified to read and properly display the new ReCaptcha format used by some social network sites. The new format randomly places black circles ‘behind’ the text, and inverts the text of the captcha phrase where the text and black circles intersect.

The dialog box warns users that their PC will shut down if they don’t enter the correct information before a three-minute timer runs down, but users don’t have to worry: If you enter bogus information or simply let the timer run down, nothing happens. If you do enter the correct captcha, however, the component will send the captcha text to its distributed network of servers, which can use that information to bypass captcha controls and post links to the bogus videos.

Another recent innovation is that each infected PC will run a service called Webserver, which appears in the Task Manager as webserver.exe; In the process of installing this service component, the worm opens TCP ports 53 (used for DNS) and 80 (for www pages) so they’re no longer blocked by the Windows Firewall. Presumably this permits the Koobface operators to more easily control (and send commands to) infected machines.

The new variant is also using a new command-and-control server, at the domain u07012010u.com, so if you have the ability to block that domain at your gateway, you should.
wordpress blog stats

Tip of the hat to Threat Research Analyst Scott Manley for spotting this one.

Share Button

4 Responses to ‘Spongeface’ Koobface Variant Uses Spongebob as a Tease

  1. Pingback: Cover Your Assets on Data Privacy Day « Webroot Threat Blog

  2. Pingback: Fake Flash Update Needs Flash to Work « Webroot Threat Blog

  3. Pingback: Five Reasons You Should Always “Stop. Think. Connect.” « Webroot Threat Blog

  4. Pingback: Pinball Corp’s Appbundler Employs Malware-like Techniques « Webroot Threat Blog

Leave a Reply

Your email address will not be published. Required fields are marked *