A new wave of the Koobface virus has been detected with distinct tweets being sent leading to a convincing fake Facebook page.
Kaspersky Lab detected the change in tactics as it now contains links from infected messages leading to what it called a ‘very well-designed Facebook look-alike page'.
It also claimed that Koobface is now sending unique tweets on Twitter, with previous messages saying ‘My home video :)' with a URL link. It now includes a random component with strings such as ‘HA-HA-HA!!', ‘WOW', ‘LOL' or ‘OMFG!!!' at the end of each tweet.
The lab also said that a random component is being added to the Koobface landing page so that the URL gets shortened to a different bit.ly URL each time, making it harder for Twitter to filter and delete infected messages.
It has detected the malicious binary as Net-Worm.Win32.Koobface.d, with the script that is doing the redirect on the landing page as Trojan-Clicker.HTML.IFrame.ob. So far Kaspersky Lab claimed to have identified around 100 unique IP addresses hosting Koobface.
Trend Micro advanced threats researcher Ryan Flores claimed that unlike Waledac that has been around for a while but generally sleeps and wakes up only when it wants to, Koobface continues to maintain its success and just seems to keep on improving.
Flores said: “Although not as large and widespread compared to Storm or Waledac during their heydays, Koobface is a revolutionary malware in the sense that it is the first Web 2.0 threat to enjoy continuous success, which is significant in a time when social network sites reign supreme.
“This is why we see it as important that we understand this threat, because the computing landscape is evolving and user behaviour is changing, and with a malware like Koobface threatening the computing landscape, it is a Trend Micro duty to stay on top of these threats.”