Christmas-themed social engineering for nefarious purposes come as no surprise this time of year. But the cybercriminals responsible for the latest variant of Koobface have come up with a new slant that demonstrates how clever the bad guys have become at blending and scaling up tried-and-true attack techniques.

This particular variant of the Koobface worm — dubbed Koobface.GK — initiates by posting malicious links on Facebook wall pages enticing folks to click on a cutesy Christmas video.

Attempts to play the video turns over control of the PC to the attacker, says PandaLabs researcher Sean-Paul Correll. The victim next sees a Windows warning message requiring them to solve a CAPTCHA puzzle within three minutes.

If you see this screen, you must solve the puzzle to regain control of your PC. A timer ticks down. If the puzzle goes unsolved after three minutes, the PC freezes up. Rebooting won’t help. The CAPTCHA puzzle will reappear. The only way to end the loop is to solve the CAPTCHA. The victim can then use his or her machine as normal. But the attacker still has control.

While this ruse is unfolding, the worm separately uses the victim’s machine to fill out a new account application. This goes on unseen by the victim. Solving the CAPTCHA is the final step in creating a new Facebook account. The new account is then used to post more tainted Christmas links. And the cycle repeats.

Trailblazing new way to create shell accounts

These bad guys have thus pioneered a cheaper, faster way to create shell Facebook accounts for nefarious purposes. This is a much more robust method than recruiting CAPTCHA-resolvers and paying them a few pennies to resolve new account application CAPTCHAs in real time, as LastWatchdog disclosed in this investigative story. The bad guys have made it difficult for Facebook to cut them off, since active members are actually creating the new accounts, says Correll.

“It’s a completely decentralized way to propagate the worm by way of using the victims’ machines, making the victim solve the CAPTCHA,” say Correll.

Holiday threats are nothing new. Andy Hayter, Anti-Malcode Program Manager of ICSA Labs, notes that CHRISTMA EXEC infected early IBM-based VM CMS systems way back in 1987 by spamming email addresses with an image of a Christmas tree.

“Malware has been present almost every year since then, and exploiting the end-user is as easy now as it was 22 years ago,” says Hayter. “The explosion of social media sites like Facebook, Twitter and MySpace is changing the game. Anyone can register, and users don’t need any prior cyber knowledge to participate.”

Hayter contends that social media sites should include mandatory education on cyber security, cyber safety and cyber ethics to teach the public how to use technology responsibly.

— By Byron Acohido

December 11th, 2009 | Imminent threats