New Koobface variant exploits holiday spirit.

Malware miscreants have traded their black hats for Santa hats with their latest escapade targeting the 350 million member Facebook community.

Security experts have spotted a new variation of the Koobface worm that gives its prior social engineering techniques a holiday twist to lure Facebook users into its wicked web.

The new variant, Koobface.GK, posts a link to a Christmas video on the message wall of a Facebook user. When a social networker clicks the link, he or she is taken to a bogus video player. Clicking the play button on the spurious application produces no video, but it does download the worm to the clicker’s computer.

The malware then produces a captcha screen that threatens to shutdown the user’s computer if the captcha form isn’t filled out within three minutes. When the captcha form is filled out, the shutdown message appears again. Each time the form is filled in, a new domain is registered where infected files will be hosted. In that way, the worm propagates itself.

If a target decides not to act within three minutes, nothing will happen. However, his or her computer will become unresponsive. According to White Hats, a clean install of Windows isn’t needed to recover control of a computer infected with the worm. Presumably, the problem could be eliminated by pulling the power plug on the machine and rebooting into a state where a virus scan could be conducted on the computer or the box could be restored to a point before it was infected.

This latest Koobface attack shouldn’t surprise anyone as Christmas has always been a prime time for Internet bandits. The Zafi.D worm, for example, was introduced in 2002 and is still making the holiday rounds clandestinely opening ports on computers and downloading malware. Other Christmas suprise packages include MerryXA, which contained a malicious attachment that installed a keystroke logger designed to steal personal information from its victims, and the Navidad family of worms also distributed through email.

To avoid infection from the likes of Koobface, Malware fighters are cautioning computer users not to click on links from dubious sources. There’s a problem with that advice, though, when it’s applied to social networks. When something is posted to a Facebook wall or message arrives under the guise of a message from Facebook, it may very well appear to originate from a trusted source.

Another precaution recommended by security experts is to eyeball the link to determine its validity. For example, if a Facebook URL contains a .ru domain, it might not be on the level. On the other hand, links can be hidden behind plain English labels or worse, be in a shortened format that’s inscrutable to the eyeball test. If the short URL appears in Firefox, there are tools that will expand  the Web address or preview the link without clicking it.

Of course, it’s also a good idea to be very careful when you’re solicited online to download software.

Koobface surfaced this summer working the video angle on Twitter users. “Tweets” were sent to members of that network containing the message “My Home Video” and a link. It also tricked Facebook users by creating some very convincing facsimiles of that social network’s service pages. As word spread about the worm, it began adopting subterfuge to avoid detection. It started altering its payloads automatically inserting into them text like Ha-Ha-Ha, WOW, LOL and OMFG, and it commenced using short URLs.

In response to the new found interest by cyber criminals in their services, Twitter and Facebook have made efforts in recent weeks to tighten up their security, but their efforts aren’t moving fast enough for some concerned netizens. A group of Swedish students hijacked hundreds of Facebook groups last month to expose just how insecure the service is. The posse, calling itself Control Your Info, exploited a design flaw in the social network to conduct its shenanigans. It seems that if an administrator leaves a Facebook group, anyone in the group can assume the throne. Control Your Info members joined groups without administrators and announced to their members in a message.

“Hello,” the message began, “we hereby announce that we have officially hijacked your Facebook group.”

“This means we control a certain part of the information about you on Facebook,” the message continued. “If we wanted we could make you appear in a bad way which could damage your image severly [sic].”