Store
|
Contact Norman
|
About Norman
|
Select location
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proactive IT security
Home / Home office Small / Medium business Enterprise Our technology Security center Norman as a business partner Support   Partner web
Home
>
Security center
>
Security articles - archive
>
2009
>
Malicious identity production
Norman SandBox center
Submit file for SandBox analysis
Search malware analysis database
View latest SandBox analyses
Malware statistics
Virus descriptions
Security articles - archive
Malware types
Threat level
Current virus threats
Security blog
Email statistics
Books, general white papers etc.

Malicious identity production

2009-11-13 [Malware discussion, Security terms, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

Identity theft is a term, which has become familiar during the latest years. More exotic - until recently - has been identity production with malicious intent. A new version of Koobface does exactly that - automatically.

The malware Koobface

Koobface is a worm that propagates through social network sites, for example Facebook. There are several versions of this worm, the first detected by Norman's antivirus software more than one year ago. More information is available from Norman's virus description.

The new version that inspired this security article has some new fuctionality, and automatically performs actions like:

  • Setting up accounts on Facebook
    • These accounts have characteristics that seem legitimate, like date of birth, favourite books, picture, etc,
    • The accounts' details vary for every account that is set up.
  • Confirming that an email address from Gmail is correct (used to be able to activate the Facebook account)
  • Joining random Facebook groups
  • Adding other Facebook users as friends
  • Posting messages to the new friends' Facebook walls,

Obviously some of the functionality mentioned, makes it harder for those that are exposed to the worm, to be able to determine that it is an automatic malware impersonating as a human, and not a real person.

Reflections

There are some interesting general reflections to make from this new Koobface variant.

Sophistication

It is yet another example of the fact that malware is getting increasingly sophisticated, both with respect to programming skills and - perhaps even more - design of the malware.

Impersonation 

A well-known technique used by malware is that it attempts to impersonate a real person.

Typical is malware that sends email using email addresses found on the infected computer. The rationale is that the email recipient will tend to trust emails sent from a person already known to him. This will often have somewhat bizarre side effects, like a person you know suddenly sending an email in another language etc.

The technique used by Koobface is another, as it does not attempt to impersonate a real person, but rather be a fictitious person. Attempts by the recipient to investigate the sender will result in finding information that seems to some extent legitimate.

Channels for malware propagation

We have previously discussed the fact that the so-called "new media" are becoming increasingly popular as spreading vectors for malware. See f.ex. Facebook - an increasingly popular spreading vector for malware from last year.

Implications

Further refinements and variations of identity production will presumably be high-priority by malware writers. Seen from the malicious persons' point of view, it is smart to be in the forefront among those using this technique; before the common users get better equipped to distinguish between communicating with a real person and a computer generated one.

We expect to see more examples of malware utilizing variants of this technique in the future.

Related security articles

Cyber crime imitates legitimate business [en]
The Internet Crime Complaint Center's report for 2009 [en]
Handling an infected computer as an infected human being [en]
Code injection [en]
W32/Zimuse [en]
RSS FEEDS
Latest Security articles
Latest Blog items
Latest News
Latest Support issues
Current Virus treats
RSS feed
Privacy policy
|
License agreement
|
Trademarks
|
Sitemap