Security Labs


  digg   |   |     reddit
  newsvine   |     furl   |     technorati

Koobface Spreading Again on Facebook


Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Koobface social networking worm is again spreading on Facebook. Our HoneyJax systems picked up the following email this morning:

The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.

  1. The Facebook link directs to a malicious account hosted at
  2. The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php
  3. The .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.

Screenshot of the malicious Web site serving the Trojan downloader:

Websense Messaging and Websense Web Security customers are protected against these threats.