What exactly is "koobworm" ???

[Virus Guy]

Google searches for koobworm are only turning up media reports that
implicate facebook and/or twitter.

When I look for "koobworm code analysis" or other varients I find
nothing.

Not even any hits from AV sites.

What exactly is koobworm? What are alternate names does it have?

What exploit does it leverage?

Is there any posted code analysis for it?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| Google searches for koobworm are only turning up media reports that
| implicate facebook and/or twitter.

| When I look for "koobworm code analysis" or other varients I find
| nothing.

| Not even any hits from AV sites.

| What exactly is koobworm? What are alternate names does it have?

| What exploit does it leverage?

| Is there any posted code analysis for it?

It isn't koobworm per se it is Koobface or facebook kind of backwards. It is a worm
affecting facebook users.

 

[Virus Guy]

| When I look for "koobworm code analysis" or other varients I find
| nothing.

| Is there any posted code analysis for it?

It isn't koobworm per se it is Koobface or facebook kind of backwards.
It is a worm affecting facebook users.

What windows vulnerability is used to get it onto the typical system?

Or is it a pure social-engineering trick -> ie "click on this and then
say yes to run it" ?

 

[lifetweaker]

lifetweaker had written this in response to
http://www.secure-gear.com/antivirus/Re-What-exactly-is-koobworm-31686-.htm
:


-------------------------------------
David H. Lipman wrote:

From: "Virus Guy" <[email protected]>

| Google searches for koobworm are only turning up media reports that
| implicate facebook and/or twitter.

| When I look for "koobworm code analysis" or other varients
I find
| nothing.

| Not even any hits from AV sites.

| What exactly is koobworm? What are alternate names does it have?

| What exploit does it leverage?

| Is there any posted code analysis for it?

It isn't koobworm per se it is Koobface or facebook kind of backwards.
It is a
worm
affecting facebook users.

David, Koobface doesn't only infect facebook users; But infects users of
myspace and twitter also. It's more like a social networking worm.

As for how it enters the system. Koobface asks the victim to install a
piece of software, once installed, koobface hijacks the vicitms system,
stealing valuable information; at the same time koobface hijacks the
victims "social networking" account.

 

[David H. Lipman]

From: "lifetweaker" <[email protected]>

| lifetweaker had written this in response to
| http://www.secure-gear.com/antivirus/Re-What-exactly-is-koobworm-31686-.htm



| -------------------------------------
| David H. Lipman wrote:



| David, Koobface doesn't only infect facebook users; But infects users of
| myspace and twitter also. It's more like a social networking worm.

| As for how it enters the system. Koobface asks the victim to install a
| piece of software, once installed, koobface hijacks the vicitms system,
| stealing valuable information; at the same time koobface hijacks the
| victims "social networking" account.



Yes.... That's right.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| What windows vulnerability is used to get it onto the typical system?

| Or is it a pure social-engineering trick -> ie "click on this and then
| say yes to run it" ?

Social Engineering -- the human exploit.

 

[Virus Guy]

| What windows vulnerability is used to get it onto the typical
| system?

| Or is it a pure social-engineering trick -> ie "click on this
| and then say yes to run it" ?

Social Engineering -- the human exploit.

Ok, so it doesn't rely on any OS or browser vulnerability.

Has there been any code analysis for it?

I assume that it is served up by a server that detects the victim's OS
via browser identifier string. What platforms is it known to deliver a
platform-specific version?

Does it serve up (or will it function properly) on a win-9x/me system?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| Ok, so it doesn't rely on any OS or browser vulnerability.

| Has there been any code analysis for it?

| I assume that it is served up by a server that detects the victim's OS
| via browser identifier string. What platforms is it known to deliver a
| platform-specific version?

| Does it serve up (or will it function properly) on a win-9x/me system?

I haven't analyzed a koobface in a couple of months. I don't have an answer :-(

 

[Virus Guy]

I haven't analyzed a koobface in a couple of months.

Is it really a worm?

If it gets onto systems by having users unwittingly download and then
answer "yes" to install/run it, then how can it be a worm?

If, once installed, it performs "worm-like" activities to spread itself
to other systems, then it must be trying to leverage some system-level
vunlerability -> which was stated earlier in this thread that it does
not do.

Some are calling it a worm. Are they correct?

 

[jen]

Ok, so it doesn't rely on any OS or browser vulnerability.

Has there been any code analysis for it?

I assume that it is served up by a server that detects the victim's OS
via browser identifier string. What platforms is it known to deliver
a
platform-specific version?

Does it serve up (or will it function properly) on a win-9x/me system?

Koobface Tweets:
http://blog.trendmicro.com/koobface-tweets/

-jen

 

[Virus Guy]

My understanding of a (computer) worm is that it's a program (code, etc)
that can place a copy of itself on another system (at least in such a
way so that it will be executed at some point) without requiring human
intervention.

Koob (or koobface) does not meet that definition of a worm.

All it seems to do (once it starts running on a given system) is to post
a munged or obfuscated URL link in a public/visible forum. The web
server behind the link serves up a copy of koob in a socially engineered
context that compels the user to willingly run the downloaded file.

It seems incorrect for various AV forums and entities to identify
koob/koobface as a worm.

It's not a worm, and it's not a virus. It's really just a trojan.

I still want to know if it runs correctly on win-9x/me.

 

[FromTheRafters]

Is it really a worm?

If it gets onto systems by having users unwittingly download and then
answer "yes" to install/run it, then how can it be a worm?

If, once installed, it performs "worm-like" activities to spread
itself
to other systems, then it must be trying to leverage some system-level
vunlerability -> which was stated earlier in this thread that it does
not do.

Some are calling it a worm. Are they correct?

Clickworm not autoworm. Even friendgreet was called a worm - and *it*
even had a disclosure in the EULA.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| My understanding of a (computer) worm is that it's a program (code, etc)
| that can place a copy of itself on another system (at least in such a
| way so that it will be executed at some point) without requiring human
| intervention.

| Koob (or koobface) does not meet that definition of a worm.

| All it seems to do (once it starts running on a given system) is to post
| a munged or obfuscated URL link in a public/visible forum. The web
| server behind the link serves up a copy of koob in a socially engineered
| context that compels the user to willingly run the downloaded file.

| It seems incorrect for various AV forums and entities to identify
| koob/koobface as a worm.

| It's not a worm, and it's not a virus. It's really just a trojan.

| I still want to know if it runs correctly on win-9x/me.


Contacted a "friend".

Yes, Win9x/ME is affected by Koobface.

The Koobface attempts to spread via the generation of "spam" messages from an infected
user's MySpace and/or Facebook account to their respective contact list. Inside the
spammed message is a malicious link to a location on malicious web site If the spam
recipient enganges the malicious link a Koobface variant will be downloaded.

 

[FromTheRafters]

My understanding of a (computer) worm is that it's a program (code,
etc)
that can place a copy of itself on another system (at least in such a
way so that it will be executed at some point) without requiring human
intervention.

Automatic network worms fit this description. Worms spread to "devices"
sometimes as well.

Koob (or koobface) does not meet that definition of a worm.
Correct.

All it seems to do (once it starts running on a given system) is to
post
a munged or obfuscated URL link in a public/visible forum. The web
server behind the link serves up a copy of koob in a socially
engineered
context that compels the user to willingly run the downloaded file.

I call these "clickworms" - but I'm probably the only one.

It seems incorrect for various AV forums and entities to identify
koob/koobface as a worm.

It (sorta) self-replicates but does not infect - so they call it a worm.

It's not a worm, and it's not a virus. It's really just a trojan.

Yes, but since (self?) replication (spreading) is involved, and trojans
don't (self?) replicate, it is called a worm.

I still want to know if it runs correctly on win-9x/me.

I don't know, and if I did you would not believe me when I told you.

 

[Virus Guy]

It (sorta) self-replicates but does not infect - so they call it
a worm.

But it _doesn't_ replicate.

It doesn't manage to place a copy of itself on another system in a
totally autonomous way.

It's basically a spam engine. It sends URL's via e-mail to the local
contact list or it posts URL's using the local credentials or identity
to social networks or forums.

Can anyone here explain if a computer worm is supposed to be able to do
it's work without human intervention?

Does the transmission or posting of a URL qualify as a worm propagation
method?

The fact is that Koob doesn't have control over what is at the other end
of the URL that it's advertising. The payload that is served up might
be quite different. Isin't another characteristic of a worm is that
what ends up on the target machine is an exact duplicate of what's on
the source machine?

Yes, but since (self?) replication (spreading) is involved,

But there is no self-replication happening!

and trojans don't (self?) replicate, it is called a worm.

A trojan can examine the local address list of the machine it happens to
find itself on, and then e-mail itself as an attachment to recipients on
that list. That is a more "worm-like" behavior than what koob seems to
do. Human involvement is still required on the recipient end to launch
the attachment.

I don't know, and if I did you would not believe me when
I told you.

I would believe a web or net-published authoritative explanation or
answer.

 

[Virus Guy]

| I still want to know if it runs correctly on win-9x/me.

Contacted a "friend".

Yes, Win9x/ME is affected by Koobface.

Is there a reason why such information would be (or is) not published
anywhere?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| Is there a reason why such information would be (or is) not published
| anywhere?

It is. You didn't look.

 

[Virus Guy]

| Is there a reason why such information would be (or is) not
| published anywhere?

It is. You didn't look.

I did.

I did not find any credible statement saying that win-9x/me was
compatible with the koobface app that is (or has been) circulating.

So you resorted to a back-channel inquiry.

Apparently you couldn't find anything either eh?

 

[FromTheRafters]

But it _doesn't_ replicate.

Yes, it does.

It doesn't manage to place a copy of itself on another system in a
totally autonomous way.

Correct, but it does copy itself (or has itself copied) and as such it
does "replicate".

It's basically a spam engine. It sends URL's via e-mail to the local
contact list or it posts URL's using the local credentials or identity
to social networks or forums.

The fact of replication is separate from the method of replication. The
fact of replication makes it a worm or virus. The lack of attaching the
replicant to host code is what makes it a worm rather than a virus.

Unless you are one that views the virus as a superset of worms (all
worms are viruses but not vice versa).

Can anyone here explain if a computer worm is supposed to be able to
do
it's work without human intervention?

By some definitions, all worms are automatic worms (no user input
required).
By some definitions, worms don't have to replicate (they need only
exploit vulnerable software).

Does the transmission or posting of a URL qualify as a worm
propagation
method?

Yes, in fact the mere placing of a replicant in a shared directory
(Kazaa worms) can have the same end result - and that which behaves as a
worm is a worm.

http://antivirus.about.com/library/weekly/aa052002a.htm

True, it is simply a trojan when encountered - when executed it
replicates and becomes many more trojans for the next encounter(s).
Trojans are considered non-replicating malware, so this is a worm (no
host program "infection" so not a virus - unless as above...).

The fact is that Koob doesn't have control over what is at the other
end
of the URL that it's advertising. The payload that is served up might
be quite different. Isin't another characteristic of a worm is that
what ends up on the target machine is an exact duplicate of what's on
the source machine?

Different segments of an overall program can be running on different
machines and together constitute a worm program. Besides, with
polymorphism "exact duplicates" are not common. More like a set of
programs that exhibit the same or similar functional behavior despite
the differences in the exact methods used to attain those results.

Yes, but I recall reading somewhere where Fred Cohen described his virus
as "an interesting trojan". These days, once replication is part of the
behavior, it is no longer termed a trojan.

But there is no self-replication happening!
http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-4958-99&tabid=2


A trojan can examine the local address list of the machine it happens
to
find itself on, and then e-mail itself as an attachment to recipients
on
that list.

....and a "copy" is made to attach to each e-mail - and the process is
instigated by the malware itself.

That is a more "worm-like" behavior than what koob seems to
do. Human involvement is still required on the recipient end to
launch
the attachment.
Clickworm.


I would believe a web or net-published authoritative explanation or
answer.

If it looks in the wrong places for security cookies, I suppose it
wouldn't work. The rest of the needed environment seems to be there.

 

[Virus Guy]

Yes, it does.

No.

It does not place a copy of itself on the server that it advertises via
it's spam links or postings.

It does not place a copy of itself on the destination PC.

It _wants_ for a copy of itself to end up on other PC's (as does all
malware) but it no more puts that copy there than the typical trojan
does for itself.

Correct, but it does copy itself (or has itself copied) and as
such it does "replicate".

No. Who-ever controls the spamvertised server has put a copy of Koob on
that server. When a new PC becomes infected, that copy came from a
server - not some other infected PC.

A worm does not require the use of a third PC when spreading from
machine 1 to machine 2.

The fact of replication is separate from the method of
replication.

Worms are not served. Trojans are served. Koob is a trojan.

The fact of replication makes it a worm or virus.

Explain how I can have any form of malware end up on my PC _without_
replication.

Your use of the concept of "replication" is strange in this context.

The lack of attaching the replicant to host code is what
makes it a worm rather than a virus.

The requirment for it to need a server to spread makes it a trojan and
not a worm.

Unless you are one that views the virus as a superset of worms
(all worms are viruses but not vice versa).

From what I can tell, there is no clear definition of virus that
sufficiently or clearly delineates it from either trojan or worm.

Only trojans and worms appear to have a few clear distinctions in terms
of how they spread and the level of operator intervention required. In
that regard, a true worm can spread from PC-1 to PC-2 without the aid of
a third PC to act as a server and without the need for human activity or
action. Koob is not such a worm.

Yes, in fact the mere placing of a replicant in a shared
directory (Kazaa worms) can have the same end result -

I asked if transmitting or posting a URL qualifies as a worm
transmission method. You said yes, and then you immediately went on to
describe file copying to shared directories. The two are hardly the
same phenomena. So you'd better come up with a better answer because
that one didn't work.

Trojans are considered non-replicating malware, so this is a
worm (no host program "infection" so not a virus - unless as
above...).

Koob does not replicate itself. It tricks people into downloading more
copies of itself from a server. Koob requires a functioning server with
known coordinates in order to spread. A true worm seeks out on it's own
the next destination PC and directly transmits a copy of itself to that
PC. Koob does not do this.

Why are you so insistent on making a case that koob is a worm, to the
extent of stretching the definition of what a worm is?

Different segments of an overall program can be running
on different machines and together constitute a worm
program.

Your answer was as clear as mud. Please reformulate and restate your
response to that question.

Besides, with polymorphism "exact duplicates" are not
common.

Worms don't need polymorphism if they are leveraging an exploit that
sucessfully allows themselves to spread from one PC to the next without
human intervention.