GENEVA — The attacks and scams that have been affecting users of Facebook, Twitter and other popular social networking sites are continuing to evolve and improve, as the attackers learn more about their victims and refine their tactics, experts say.

The poster child for these attacks has been the Koobface worm, which has been circulating on Facebook and various other sites for several months. However, the term worm is something of a misnomer in this case, experts say, as Koobface in fact comprises a number of different components. In addition to the social networking propagation components, Koobface also now includes a network of malicious Web servers, URL checkers, a CAPTCHA breaker, a rogue antivirus program, data stealers and search-result hijackers, said Ivan Macalintal, a senior threat analyst at Trend Micro, in a presentation at Virus Bulletin 2009 here Thursday.

And that litany of capabilities doesn’t even include the botnet and associated command and control structure that Koobface has built. The botnet control is done over HTTP, and the updates that the Koobface authors make to the program, which sometimes happen as frequently as once a day, usually change the C&C structure, as well.

“It’s an unfinished product at this point and it’s in perpetual beta,” Macalintal said.

In June, Koobface still had just two main C&C servers controlling the botnet. A month later, after continued efforts from researchers to disrupt the botnet, the Koobface authors updated the infrastructure, adding a layer of proxies and making it more difficult to identify the specific servers controlling the bots.

Koobface also is now using blogs that are set up automatically, usually centered on a major news event and filled with entries with malicious links. The links lead to phishing sites or sites that host the Koobface malware itself.

And it’s not just Facebook that’s taking the hit. Twitter also has emerged a major target for attackers looking for phishing victims, personal information on potential victims and anything else that could be of use. There have been some incidents of botmasters using Twitter as a command mechanism, although experts say this is not of much use.

“It’s not the best means of command and control, because it’s easily blocked after detection,” said Costin Raiu, (above, right) a security researcher at Kaspersky Lab, who gave a joint presentation with Morton Swimmer (above, left) of Trend Micro, on Twitter attacks.

Raiu and Swimmer are working on separate projects analyzing the volume and nature of threats and attacks on Twitter by pulling tweets from the site’s public timeline and putting them through a variety of automated analyses. Much of the activity right now consists of spam from automated Twitter accounts, malicious URLs leading to phishing sites and porn.

Categories: Malware, Web Security