8 Things You Probably Did Not Know About the KOOBFACE Worm!

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If you would like to read some more about KOOBFACE, check out the article over at Wikipedia here. So while you may not have been one of the ones to be infected by it, there is a good chance you have come across it before either from a friend’s infected account or just some random person who happened to target you after getting infected themselves. While it isn’t the nastiest worm out there, it is defiantly doing some damage so if you get some weird link from a friend on a social networking site, play it safe and please do not click on it!