~ by Rick Ferguson

I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure.

Figure 1. Fake Facebook Message

What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from “viewers”.

Figure 2. Fake YouTube website

Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we’ve seen 300+ different unique IP addresses hosting setup.exe and we’re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.

Analysis by our engineers reveal that WORM_KOOBFACE.AZ propagates through other social networking sites as well. It first searches for cookies created by the following sites:

• facebook.com
• hi5.com
• friendster.com
• myyearbook.com
• myspace.com
• bebo.com
• tagged.com
• netlog.com
• fubar.com
• livejournal.com

The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.

Users of the Trend Micro Smart Protection Network are protected from this threat, as both URL and malicious file are blocked and detected, respectively. Other users are advised to ignore such messages, and refrain from clicking links in unsolicited messages, even out of curiosity.

A friend of mine forwarded this to me via email the other day.  I normally don’t forward emails unless they are useful and more importantly, legit.  I verified this myself and was shocked when I learned how long this has been circulating since I never heard about it.  The use of bump keys initially was intended for licensed locksmiths but the technique has reached the internet and we all know what that means – global circulation in a matter of days. 

You can avoid being a victim of a bump key burglar by having a security system installed and also installing security locks that have disc tumblers instead of pin tumblers.  You can find them at your local locksmith or specialty home security retailer. I found a few websites that are spreading the word as well:

• Pickbuster
• Ban The Bump Key
• Anitbump Locks

Please forward this post to all of your family, friends and other people that you care about.  Imagine if this tool was used by more than just your clever burglar, what if rapists and pedafiles started using this?  I am a father of a 7 month old so this was a huge concern for me.  I only hope this reaches everyone before something happens.