The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We’ve already identified over 60 active domains spreading the content through the usual method of posting a message linking to a “CooooL Video” on Facebook.

Sample malspam:

Koobface Link

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old “Flash Player upgrade required” tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate.

Koobface Site

Koobface connection log:

Koobface connection log

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

Koobface on infection

After turning the victims computer into its next distribution point, it also attempts to monetize by installing “Total Security” Rogueware.