The Koobface gang has struck again using compromised web servers to deliver a potent mix of malware. zveloLABS™ researchers have found hundreds of newly exploited sites hosting malware which includes downloaders, keyloggers and multiple variants of the Koobface worm.
Attackers using compromised sites to deliver their malware stand a better chance of evading web filters since those sites are generally already categorized in a “safe” category. The constant changing of the malware binaries also keeps the Anti-Virus detection rates low.
zvelo has noted a constant stream of new malware files coming from these sites.
Koobface is a social network worm that spreads using social engineering techniques. Users will typically receive a link to an alleged video. After clicking the link, the user is prompted to update their flash player or download a codec to view the video. Users who haven’t been trained to be skeptical of such requests follow the directions, infecting their machine and allowing the worm to spread through available social networks using the local users’ accounts and targeting the infected users friends, family and business contacts. This social networking aspect is part of the lure of the social engineering and why its so successful. The video might require a download to view, but it came from a close friend so it is probably fine.
The keyloggers hosted on the compromised sites can be used to steal any kind of sensitive personal information. Koobface will often steal login credentials for social networking sites which it can then use to send more messages and infect more machines.
zvelo is flagging these sites as “Compromised” within its zveloDB® URL database.