I consider myself someone who stays fairly current with the internet and social networking and all of that stuff. After all, I send most of every day on both. But when Dave and I attended an Anatomy of a Malware Attack presentation by Sophos security last week, I discovered that I had missed some things over the last couple of years. Since we have been looking at social networking safety and security over the last couple weeks, and I’ve shown a number of people how to get started with Facebook and Twitter, I thought it would be the perfect time to warn you all of some the malware threats associated with social networking. The image above represents Koobface, a worm-type malware that hides on social networking sites hoping you click bad links and install bad software leaving your system and account open for all kinds of evil. Clicking the image will take you to a wonderful article on how to remove the Koobface worm, should you become infected. Koobface certainly isn’t the only type of Malware that can be picked up on Facebook and Twitter, but it gives us a good culprit and example for discussion. Full disclosure: I hadn’t heard of Koobface before the Sophos conference—even though the worm has been around since 2008—but I have been well-aware of social media malware for a few years now. I figured if I was learning a thing or two about Koobface and social malware, I might as well pass the knowledge on to you!
What is malware?
Don’t hate me for explaining this term if you’re familiar with it, but I don’t want users getting infected (or left behind in this article) if they don’t know what’s going on. Plus, Sophos gave me this handy new dictionary of computer threats,the Threatsaurus, so everyone can be on the same page with their definitions. From page 53 of their book, “Malware is a general term for malicious software including viruses, worms, Trojan horses and spyware.” Ok, so I probably shouldn’t have defined that for you. You’re smart. But I was just imagining my mother reading this article and getting lost in the introduction because she didn’t know what malware was. So Mom, if you’re reading this, this section is for you.
What kind of malware threats are present on social networks?
We’ve already been through the general risks of using social networking, but malware deserves another pass. Malware no longer needs to strong-arm itself into your systems: no, the makers have gotten smart. With the rapid explosion of social media over the last few years, malware people have been putting their malware all up in our Myspace, Twitter, and Facebook business. John Schire from Sophos explained it like this, “malware has evolved from push to pull.” In other words, we are the ones giving ourselves malware by clicking bad links. The bad guys are using social engineering to hide malware behind enticing-sounding links that practically make you click on them. One example presented in the conference was used by Koobface to get users to click on an intriguing hyperlink that redirects them to a page asking them to install something that may seem innocuous. This malicious bait-and-switch plays upon people’s curiosity about others on social networks to bring them to a page they think is safe but actually hosts malware programs.
What is Koobface?
Koobface is one example of social networking malware. It is rather detailed and complex, requiring a full team of employees working just as hard on it as any employee might work on their legal, legitimate software projects.
From the wiki:
Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, and other social media platforms, but not any sensitive financial data. It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Its peer-to-peer topology is also used in showing fake messages to other users with the purpose of expanding the botnet. It was first detected in December 2008 and a more potent version appeared in March 2009.
Here is an example of the Bait and Switch that the Sophos security experts were talking about. Infected accounts post the status you see above, with the hope that curious users will also click that link and start the infection process. Note: simply clicking these links won’t give you malware. Malware creators are actually going to socially engineer you once again. Clicking a Malware-infected link will take you to another site that appears to be loading a video. Wow, some video made a girl kill herself? I can’t believe it. No way a video would make me do something crazy. I NEED to see this video. That’s what the malware creators want you to think. You’ll be so worried about the content of the video that you’ll let your skeptical guard down. After a brief period of attempting to load, the malicious browser window will tell you that your plug-in is out of date and you need to download a new plugin or update your plugin or something similar. Do not install anything from any site you do not fully trust. Your plug-in is not outdated. You do not need to install a missing plug-in. They’re lying. They’re taking advantage of the fact that we are all so used to installs and updates that we give them little thought. Whenever clicking a link takes you to an unexpected install, turn around and run the opposite direction as fast as you can. I just wanted to learn about male enhancement pills, what does installing ActiveX have to do with anything? Sometimes these people make fake accounts to distribute the infected links. More often, the bad guys will use a hacked “real account” to send the infected links to other real people on friends lists.