ReadWriteWeb

Twitter's a Mess: First the DDOS, Now Koobface Returns

Written by Sarah Perez / August 10, 2009 6:16 AM / 13 Comments
« Prior Post Next Post »

Twitter can't catch a break these days. Still reeling from the ongoing denial-of-service attacks that hit late last week (and have yet to let up), the company soon faced yet another threat: the return of Koobface. The Koobface internet worm, a deadly little piece of internet malware which got its start on Facebook, has long since spread to other social networking sites including MySpace, Bebo, and Twitter. But the latest variant - the "new and improved" Koobface - is even more devious than before. And Twitter's recently launched malicious URL filtering feature couldn't put a stop to the worm's spread.

The New Koobface

As before, the new variant of Koobface still points users to a fake Twitter page (or a fake Facebook page, if you happened to come across Koobface on the Facebook social network). On the page, users are prompted to download a Flash Player update in order to view a video file. Of course, clicking the link to update Flash actually starts the malware's payload downloading instead. In order to get users to this point to begin with, Koobface sent out tweets reading "My home video :) [URL]."

Recently, Koobace has ramped up its complexity and is sending out unique tweets that have some sort of random component added to the end of the tweet, with strings like "HA-HA-HA!!", "W.O.W.", "WOW", "L.O.L.", "LOL", ";)" or "OMFG!!!"

What's even worse about the latest Koobface variant is that the landing page for the malware attack was also adding a random component to the URL, allowing it to get shortened to a different bit.ly URL each time a message was posted. As of late last week, security firm Kaspersky Lab had identified nearly 100 unique IP addresses hosting the Koobface worm. They've since been able to take the main Koobface site down to stop the current set of attacks, but don't be fooled - there's no doubt that it's only a matter of time before Koobface relaunches with yet another dangerous twist. In fact, that's been par for the course for this piece of malware which has been attacking social networks since July 2008. Taking down one Koobface vector of attack is like playing a game of "whack-a-mole" - you hit one and another pops up to take its place.

The Real Problem: Short URLs

One of the main reasons Koobface was able to so easily spread on Twitter was due to its use of the bit.ly URL shortener, now the default on Twitter. Not only was Koobface varying its URL to ensure a unique bit.ly link each time, Twitter's new malicious URL filtering system doesn't help protect users against pre-shortened URLs.

As we mentioned before, without a focus on shortened links, Twitter's filtering system is simply not good enough. It's far too easy to use bit.ly's website or a third-party Twitter client to shorten a URL before it ever hits Twitter's web interface to be checked. And naturally, this is precisely what malware writers do. The only malicious URLs Twitter's current system protects us against are those posted by unsuspecting Twitter users themselves. The bad guys certainly know better and Koobface is a perfect example of this.

« Prior Post Next Post »
Posted in and tagged with

Related Entries


Comments

Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts

  1. A bad day for short urls

    Posted by: Sanat Gersappa Posted on FriendFeed   | August 10, 2009 6:38 AM



  2. shouldn't bit.ly be dealing with this more than twitter??

    Posted by: Addy Naik | August 10, 2009 7:00 AM



  3. really ... twitter is a total lost of time ...


    my sites :
    hotel riccione

    www.riccionehotels.com

    Posted by: hotel riccione | August 10, 2009 7:10 AM



  4. A viral worm is everyone's problem and the web community has to and will work together to fix it.Twitter and Bit.ly need to explain what these malware are and how they are planning to deal with them. Knowing is half the battle (G.I Joe).

    Posted by: NeoTechie | August 10, 2009 7:24 AM



  5. people should be informed not to do open strange links.. to read and inspect posts carefully.. and so on. i know this kind of helpful stuff is said on the web.. but people neither read.. nor do they pay attention to what they actually read. and i bet most of them don't even have a security software to protect the pc. from my point of view.. i had my fair and share battles with viruses.. and i won, using BitDefender Internet Security 2009. and for three months i haven't had any problems, of any kind. and i'm a social networks fan too..

    Posted by: janiesmiling | August 10, 2009 7:42 AM



  6. Twitter should mayber provide its own short url service. This would help have better control over the url. Why will tweeps not use twitter's own short url service?

    Posted by: Guru | August 10, 2009 8:52 AM



  7. Whatever. 140 character limits, shortened URLs, blindly downloading executables ... these people deserve whatever they get. Fools, every last one of them.

    Posted by: anon | August 10, 2009 9:00 AM



  8. @Guru, there already seems to be a cross-investor relationship behind twitter and bit.ly

    Posted by: Paul | August 10, 2009 1:11 PM



  9. aaaand, the informative link showing why I posted that last comment would be here:
    http://www.techcrunch.com/2009/05/06/url-shortening-wars-twitter-ditches-tinyurl-for-bitly/

    Posted by: Paul | August 10, 2009 1:13 PM



  10. here is what i dont get, why is it that now, as of like saturday it wasnt just lj fb and twitter that was slow, its the whole net. I wonder what is causing this? And ya would think that by now they coulda toned this dos attack down a boot load by cashing ips? I aint much good at this stuff, but i know there has to be a way. go out and hunt down the main comp of the botnet and crash it or somethin, yeah, i know not that simple, but its not changing the fact that it is so darn frustrating.

     Posted by: Jennifer Palmer Author Profile Page | August 10, 2009 3:20 PM



  11. I'm not much of a twitter fan but I must admit it's awful to be put down by hackers. This is dangerous for all of us, not only for the twitter users, because hackers have become a threat against the freedom of speech and against the free access to information.

    As jamiesmiling said, you should get protection for your computer in order to keep it from becoming a dangerous zombie. I must add, buy your anti-virus solution or get the free version but do not use those provided by hackers on torrents, because those are modified and contain some malware that give the hackers access to your computer!

    Posted by: Afrodaesia | August 11, 2009 5:38 AM



  12. I am very pleased to read the article in your Blog.
    It gives me new knowledge has come very grateful.

    Posted by: hansa99 Author Profile Page | November 29, 2009 4:30 PM



  13. Whatever. 140 character limits, shortened URLs, blindly downloading executables ... these people deserve whatever they get. Fools, every last one of them.

    Posted by: sunya | February 3, 2010 11:08 PM



Leave a comment

Optional: Sign in with Connect Facebook   Sign in with Twitter Twitter   Sign in with OpenID OpenID  |  

If you think Twitter is big, check out the Real-Time Web
RWW SPONSORS



FOLLOW @RWW ON TWITTER

ReadWriteWeb on Facebook
ReadWriteCloud - Sponsored by VMware and Intel



POPULAR TAGS

TEXT LINK ADS



RWW PARTNERS