A few days ago the Koobface worm started to appear on Twitter. Today, the Koobface worm returns by hijacking several Twitter user accounts to assist in propagating the worm. The malicious tweets start with the text “My Home Video :)” followed by a link to one of 20 or so malicious sites.
Once on the malicious site, the victim becomes assaulted with a fake flash update and the infection starts to communicate with Facebook and Twitter immediately after downloading two additional executables from a domain hosted in Belgium.
Fake codec site:
Connections:
After attempting to spread the infection on Facebook and Twitter, the W32/Koobface.DU.worm further capitalizes on its efforts by installing the Adware/InternetAntivirusPro Rogue Antivirus.
Twitter has responded to the threat quickly and have already made an effort of removing the malicious tweets. We detected around 100 still active malicious tweets at the time of writing this.
Visual representation of malicious tweets:
