The Koobface gang has been keeping themselves busy of late. Like Santa's little elves, they’re beavering away, creating and checking their fake Facebook and YouTube video sites and packin' it (the worm, that is) twice. The latest campaign involves posting messages on Facebook profiles, which link to either to fake video pages or a fake Facebook page. Either way you will be offered a file named setup.exe, which may be presented as a Flash Player upgrade or some kind of free antivirus to protect you from Koobface.
The lure is put forth in compromised or bogus Facebook postings. The text is largely the same, though the messages appear with duplicate letters in various parts of the posts. For example:
• I caan't ffall asleepp affter viewwing thiss videeo. I haven'tt seenn aanything liike this
• I can''t falll aslleep aftter viiewing thhis vvideo. I havven't seeen aanything likee thhis
• I caan't ffall aslleep aftter vieewing thiss videoo. I haveen't seeen annything llike thiis
The list of permutations is endless—perhaps it’s a way of evading automated detection systems. The message is followed by a link. If the link is clicked, you’ll end up on a fake Facebook page like the one below:
We are currently detecting the file setup.exe as W32.Koobface.D. This is not the first Christmas-related malware campaign so far this year and it will certainly not be the last.