According to Andrew Brandt, a security researcher with Webroot, the auto-captcha utility has been greatly enhanced, allowing the Koobface worm to check whether an infected user has a Google or Blogspot account.
And, if theKoobface worm detects that an infected user does not have an account, the malware will create one automatically, he said.
Koobface is now also capable of creating Google Reader pages on the fly, allowing the worm to create infected web pages which can be cross-reference in messages and wall postings infecting more people, Brandt added.
In a security blog posting, Brandt said that the Koobface worm-generated Google Reader pages have been floating around for a little while now, but that he had never seen the worm in action - until now.
"What I found fascinating was that I could observe the process of the worm creating a new Google account on my testbed", he said.
"In order to create the Google account, it downloaded and ran four new applications: `v2googlecheck' simply looks at your browser cookies to determine whether you already have a Google account; `v2newblogger' creates a new account if one doesn't already exist; `v2captcha' prompts the user of the infected machine to enter a captcha into a dialog box that looks like a Windows login dialog (in order to complete the account creation); and `v2reader,' which creates the new page, and passes that information to the worm", he added.
Brandt went on to say that, once the Google account is created, the Koobface worm uses the account to generate a new, malicious Google Reader page.
"These worm-generated pages look identical, with the exception of the Google Reader user's name at the top of the page. Each of them appears to be a link to a Google Reader `shared items' page - files that Google Reader users can post for others to download. In this case, the shared item appears to link to a YouTube video, but the `video' link is just an animated GIF image", he explained.
According to Brandt, links to these Google Reader pages are what the Koobface worm posts - there is almost no way, he noted, for Facebook to keep up with new pages being created on-the-fly by the worm, and because this all happens at breakneck speed, the links often remain active for some time.
"As soon as it has created the malicious account, it logs out the user from the spontaneously-created Google account", he said.
Interestingly, Brandt noted that Facebook's user account mechanism used to be able to detect when an infected machine attempted to post these kinds of links, and locked out the account immediately.
With the use of these Google Reader pages, however, the links - and infected accounts - remain active for a much longer time.
"When the user clicks the `video' link in Google Reader, they're redirected to a different fake-video page. This page looks more familiar, because this trick (and a page with almost the same appearance) has been used for some time by Koobface", he said.
"The `video' on this second page is just a black box with a small message that says `This content requires Adobe Flash Player 10.37. Would you like to install it now?' In fact, the entire page is just a single GIF image. Clicking the video on this page - or anywhere on the page, for that matter - brings up a download dialog for a programme called Setup.exe. This programme is yet another Koobface installer", he added.
The final result, Brandt went on to say, is that the Koobface worm links to the spontaneously created Google Reader page on Facebook, Bebo, Twitter, Hi5, and a number of other networks and services on which the Threat Research team maintains a linked network of bogus accounts.
"For now, if you see links to Google Reader pages posted in your social network, keep your guard up. And if you see someone in your network posting these links, drop them a line to let them know they might be infected."