A phony Windows alert is used to defeat CAPTCHA.

A new variant of one of the Internet’s most widespread pieces of malware, Koobface, has surfaced in the wild, according to academic security researchers. In this latest twist on a familiar theme, the worm’s authors have added new ways to siphon cash into their coffers through click fraud and scareware.

University of Alabama, Birmingham, researchers discovered the variant of the worm, which first appeared in 2008 and since that time has infected an estimated 2.9 million machines, during their continuing study of the abhorrent application aimed at victimizing members of social networking and blogging sites.

As is typical with this kind of scheme, it starts with spam. Unlike the common cookie cutter junk sprayed across the Net into inboxes, pitches from Koobface have a devious similarity to a genuine message from a Facebook friend. One of the suspect subject lines identified by White Hats is, “Wow! Are you realy in this video?” Since the message contains the name of a Facebook friend, a recipient’s inclination is to click on the link in the missive’s body. A close examination of the link, though, will reveal that it contains a colon.  Colons in Web addresses usually mean redirection to another URL. Facebook links don’t do that.

In addition to suckering innocents through email, the worm will also post its poison link to a Facebook user’s wall with a comment such as, “Look at this video I caught of you!”

Clicking on the link will send the Black Hat’s target to a bogus but visually authentic Facebook page. To calm any anxiety a guppy may have when arriving at the page, not only is the friend’s name displayed there, but also their picture clipped from their Facebook profile page. Once connected to the perfidious page a number of things can happen.

• A message may pop up saying a new version of Adobe Flash is needed to view the video and showing a download button. Clicking the button downloads the malware, which has the filename setup.exe and will run on computers operating under Windows 98, ME, NY, 2000, XP and Server 2003.
• A message may pop up saying your computer is infected with a virus and showing a download button for anti-virus software. Clicking the button downloads the malware.
  When the messages pop up, a target may get cold feet and decide to bolt from the scene. In some versions of the malware, though, it’s already too late. Once connected to the infectious page, the pernicious program will automatically pollute its target.

After infecting a machine, the black app will use the unit to perform various villainous activities.

It will monitor browsing activities. When a target logs in to a social networking site, it will snatch that information and use it to send spam with unseemly URLs to the victim’s friends.

Some variants will scan cookies stored on a machine looking for logins to places like MySpace, Hi5 Networks, MyYearbook and Bebo. It will deploy the logins to enter the websites. After breaking into the sites, it identifies a user’s friends and sends an HTTP POST to an outlaw server that dispatches spam to them.

It will also attempt to create phony accounts at Net stops like Tweeter, Facebook and Blogspot. That requires a bit of clever manipulation.

These days most websites guard against spam exploitation by something called CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). It uses a graphic of some distressed letters and requests a keyboard jock to type the letters into a form. Automated systems, like spambots, can’t read the letters, but human eyeballs, theoretically, can. Sometimes the letters are so distressed that not even the human eye can make them out.

When Koobface encounters a CAPTCHA challenge, it uses social engineering to bypass it. The malware sends a pop up to one of its infected machines. The pop up looks like a genuine Windows system alert. The alert contains the CAPTCHA graphic from the site in which the app noir wants to set up an account with the instructions, “Enter both words below, separated by a space.” To prompt the target to act expeditiously, there’s a countdown timer below the CAPTCHA graphic with the warning, “Time before shutdown.” A user, fearful of an involuntary interruption in their work, quickly types in the letters. The malware then takes what’s been typed, fills in the CAPTCHA form at the target site and sets up a new account without the user any wiser to what happened behind the scenes.

In addition to stealing personal information from infected users, the malware also has some cash grab components.

It will pop up a scare screen informing the user that their machine is infected and they should immediately buy some phony anti-virus software to cure the problem. Not only can cash be collected from the sale, but the user’s credit card number can also be snatched.

The sinister software will also compromise Google search results to facilitate click fraud. When the user performs a search, the results look genuine. The links, however, actually lead to Web sites that pay webmasters for referring users to the sites.

Koobface has been very successful so no doubt malmasters will continue to introduce variants in the future.