A computer worm originally targeted at members of social networks has been updated to spread using BitTorrent. Known as Koobface, the malware uses compromised computers to build a peer-to-peer botnet and was originally spread via Facebook messages that linked to its code. Now its developers have given it the ability to obtain and distribute its payload using BitTorrent. But don’t panic…..
Whether it be a virus, trojan horse or worm, adware, badware or scamware, most Internet users are familiar with the notion that some software available online can do harm to both them and their computer. These days people are becoming more cautious and savvy, but as they do so virus creators also up their game.
The creators of the Koobface worm (an anagram of Facebook) have done just that. This piece of code first appeared in 2008 and originally targeted members of social networks. Using an already infected computer as a jump point, Koobface would send messages to an Internet user’s Facebook ‘friends’ which contained links to various material, possibly a video.
But a video would not play and instead the person receiving the message would be directed to install a supposed update for Adobe Flash Player. Of course this was a hoax and instead the Facebook user’s computer would become infected with the Koobface worm and integrated into a botnet.
The victim’s computer could also be subjected to further malware installations, have its search queries hijacked to display adverts, find itself blocked from accessing websites (such as anti-virus vendors), and have its license keys stolen.
According to Trend Micro, Koobface has now been updated to make use of another rising technology – BitTorrent. But before everyone panics, let’s take a look at how the new Koobface works and we’ll see that the threat is relatively easy to avoid.
In its new incarnation Koobface begins life as a ‘loader’. This piece of software arrives on the host machine by the usual methods employed by malware and virus creators. These include using fake torrents – downloads which claim to be one thing but actually turn out to be something else. Nothing really new here.
However, once the ‘loader’ (Trend call it WORM_KOOBFACE.AV) hits the target machine and is executed, it quietly downloads a torrent file in the background. As we known, torrents are pretty useless without a torrent client, but the new Koobface has a trick up its sleeve. The ‘loader’ contains a torrent client of its own (actually a version of uTorrent) which runs on the target machine without making itself visible. The client then silently downloads the files shown in the screenshot below.
Once extracted Koobface goes to work with all the features of earlier versions, but with a notable addition. The files downloaded via the inbuilt client begin to seed using several large public trackers for the ‘benefit’ of future Koobface victims. This page shows the number of people who have been seeding the 67 Dark Ritual release during recent days.
“The shift from concentrating on propagating through social networks to torrent P2P networks may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework,” says Trend Micro’s Senior Threat Researcher Jonell Baltazar.
“Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users’ systems. They are simply looking for other means to do so.”
Trend list several infected torrents with a numbering scheme which seems to suggest that there could be a whole lot more. According to various tracker records, these torrents started to appear during April 2011.
While the decision to use BitTorrent to spread this malicious worm is novel, BitTorrent fans shouldn’t panic.
In basic terms BitTorrent is a protocol which shifts around data on the Internet, much like HTTP or FTP. The latter two protocols have been used for delivering malicious payloads for as long as most people can remember so it should come as no surprise that as it increases in popularity, BitTorrent will also be used for the same purposes. Even more so since LimeWire’s former home Gnutella – a network previously a haven for malware – is gasping for air on its deathbed.
While this new Koobface variant is undoubtedly clever in its use of BitTorrent, the people who use torrent clients tend to be a more savvy audience than the ‘average’ Facebook user who might click links and install software without a second thought. Hopefully this human element will help limit the spread of the worm.
For anyone looking to avoid Koobface the terribly formatted filenames shown in the list above should ring alarm bells that something isn’t right, but for those still uncertain about how to avoid fake and dangerous files when using BitTorrent, referring to our guide should do the trick.