Social-networking site, Facebook seems to have become hot destination for all malicious worms and rogue programs or applications. Security firm Trend Micro reported the return of Koobface worm to Facebook; the Trend Micro researchers reported that new variant of Koobface worm is currently vexing the Facebook users.

Rik Ferguson on the Trend Micro blog wrote, “The Koobface worm spreads through a message from a Facebook friend that includes a link to what looks like a video,” and when a user clicks the link, it redirects to a download site for the file "setup.exe," which is the new variant of Koobface dubbed Worm_Koobface.az.   

According to Trend Micro researchers, a user gets a message that appears to be come from a friend from user's contact list. It looks like a spoofed version of YouTube video. The message carries a link, and one the link is clicked, the user is taken to a site hosting a video which appears to be from the user’s friend; to make it look authentic, the site displays the name and the photo of the user’s friend from his/her Facebook profile. Once the install button is clicked, the user is redirected to a download site for the malicious file setup.exe, which is the Koobface variant known as “Worm.Koobface.Az,” hosted by a foreign IP address – all IP addresses hosting the malicious file have been discovered as Html_Koobface.Ba.

In a blog post, the Trend Micro researchers elaborated that the worm gets connected to a site, making use of log-in credentials taken from its victims’ stored in the gathered cookies. Then, it scans infected users’ friend lists and afterwards starts sending messages with links, which facilitate downloading the worm inadvertently. And, once a system is infected by the worm, the worm records keystrokes and steals login and other sensitive information and passes the pilfered date on to a remote server, which allows the attackers to have complete access and control over victims' computers.

In an interview, Jamz Yaneza, a senior threat analyst and researcher at Trend Micro, said, "Previous versions didn't have all these complexities and automation built in. This new variant has a back end doing all the modifications."

Yaneza added, “Once the worm infects a computer it sends cookie information to a remote server, of which there are as many as 300 in the operation. Now you can use a third-party connection via the Facebook API. The cookie information can include unencrypted log-in information, enabling attackers to masquerade as a legitimate Facebook user.”

The Trend Micro researchers reported that they had seen more than 300 different unique IP addresses hosting the malicious file, and that they anticipate the numbers will increase. While Facebook is the primary target, the worm is also targeting users of other social-networking sites, including MySpace, Bebo, Friendster, hi5, MyYearbook, Tagged.com, Netlog, Fubar, and LiveJournal.com.

Facebook was attacked by another rogue app last week. In an e-mail, Rik Ferguson wrote, "It seems that Facebook as an attack platform may be coming of age." The earlier version of Koobface hit Facebook in December.