Alerts
Koobface Spreading Again on Facebook
Date:11.07.2008
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered that the Koobface social networking worm is again spreading on Facebook. Our HoneyJax systems picked up the following email this morning:
The email reveals that infected user accounts are being used to post messages to Facebook friends lists. The content was an enticing message with a link that used a Facebook open redirector. When recipients click the link, they are automatically redirected multiple times, finally reaching a site masquerading as YouTube that serves a malicious Trojan downloader.
- The Facebook link directs to a malicious account hosted at Geocities.com.
- The malicious Geocities account includes an obfuscated JavaScript link to http://lost[REMOVED]/js/js.js, which goes to http://off3[REMOVED]/go/fb.php
- The .php file next redirects to either http://youtube-spyvi[REMOVED]/?schk=&keat= or http://youtube-x[REMOVED]/?ch=&ea=. These sites serve the malicious "flash_update.exe" (SHA1: 62689f89f1c5f6df10f4c7096772468d4c8e458a) file.
Screenshot of the malicious Web site serving the Trojan downloader:
Websense Messaging and Websense Web Security customers are protected against these threats.