Chris Mosby at myITforum.com

You’ve probably read or heard about KOOBFACE malware propagating through social network sites such as Facebook, MySpace and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still don’t know some or all of these things about KOOBFACE…

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, Myspace or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities) and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free web hosting sites: Yep, call them cheap. But the guys behind KOOBFACE are making good use of compromised and free web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social network sites with catch phrases like “funny video” which leads to a fake YouTube or Facebook site which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into web servers on top of being social network site spammers: KOOBFACE installs a web server component into infected machines which effectively makes the infected machine part of KOOBFACE’s malware distribution network. Infected machines serve fake YouTube or Facebook pages which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
   
6. Half of KOOBFACE infections are in the United States: Which is not surprising since most social networking users are in the US.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, Myspace and Twitter has recently implemented a spam filtering mechanism where known spam URLs are blocked from being sent. KOOBFACE tries to circumvent this by testing first if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation fresh off the grill from the White Papers section of TrendWatch.