Koobface remains active on Facebook
Wednesday December 3, 2008 at 1:10 pm CST
Posted by Craig Schmugar
A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook. Users reported receiving spam messages, such as:
When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date. Next the user is prompted to download/open flash_player.exe, a new Koobface variant.
If the user choose to install the executable, a fake error message is displayed.
Facebook is already aware of this threat and is purging the spammed links from their system. But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better. It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms. The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know. Only in this context, it must be expanded to the following:
| Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know. It’s best to ask for confirmation from the sender; that they intentionally sent such a link. |
| On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website. |
The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.
As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup. This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results. Search terms are directed to find-www.net. This enables ad hijacking and click fraud.
December 4th, 2008 at 1:54 am
Nice article. I guess the same could be found on Flickr ?
December 4th, 2008 at 3:07 pm
Thanks for the info!
December 5th, 2008 at 3:50 am
[…] per rimuovere il virus. Da McAfee, invece, che aveva reso noto il pericolo mercoledi sul proprio blog, fanno sapere che ancora non si conosce chi abbia progettato il virus. Probabilmente chi c’è […]
December 5th, 2008 at 4:57 am
[…] More information and screenshots can be found here. […]
December 5th, 2008 at 5:08 am
[…] με τo επίσημο Blog της Mcafee, μια νέα μετάλλαξη του ιού (worm συγκεκριμένα) Koobface ο […]
December 5th, 2008 at 5:32 am
[…] More information and screenshots can be found here. […]
December 5th, 2008 at 5:41 am
[…] More information and screenshots can be found here. […]
December 5th, 2008 at 6:08 am
[…] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial en […]
December 5th, 2008 at 6:27 am
[…] More information and screenshots can be found here. […]
December 5th, 2008 at 7:21 am
If you happened to click on that link on facebook, you need to go to Internet Explorer, Internet Options, Connections, and uncheck the LAN settings.
This virus changes that and starts routing you to other websites.
Hope that helps, it fixed the problem after I unchecked it, and ran Walwarebytes.
December 5th, 2008 at 7:22 am
Thank you for this information.
I wondered how I had downloadd this bug and after reading this, I even remeber the day.
It is exactly as you described.
I hope others can take warning and not end up with the expense I have - and it’s still not really gone!
December 5th, 2008 at 8:17 am
[…] 。さらに詳しい情 とスクリーンショットがここに。(画像はMaximumPCの好意による)CrunchBase InformationFacebookInformation provided by […]
December 5th, 2008 at 8:22 am
Thanks for the information. I will be careful if I find anything like that on FaceBook.
December 5th, 2008 at 8:28 am
Hi U- No, the list of websites currently being wormed/attacked originally were published here. Flickr is not listed:
http://blog.threatfire.com/2008/12/koobface-on-loose-as-flashupdateexe.html
December 5th, 2008 at 8:28 am
[quote]
Nice article. I guess the same could be found on Flickr ?
[/quote]
This can be found on any social networking site! Such as flickr, bebo, tagged, myyearbook, youtube, imeem and many more.
Myspace already been hacked…
December 5th, 2008 at 8:29 am
Also, great cleanup instructions here:
http://tonysgeektips.wordpress.com/2008/12/04/update-on-koobface-virus/
December 5th, 2008 at 8:50 am
[…] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 9:20 am
[…] grab sensitive data off your PC like credit card numbers. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 9:36 am
[…] Les explications chez McAfee. […]
December 5th, 2008 at 9:37 am
[…] the avertlabs page on the trojan we get that This component listens on TCP port 9090 and proxies all HTTP traffic, in particular […]
December 5th, 2008 at 9:52 am
well what do we do if we have already clicked on this unexpected virus? How can we specifically locate it and completely eliminate it?
December 5th, 2008 at 9:52 am
[…] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. […]
December 5th, 2008 at 10:07 am
[…] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 10:23 am
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 11:10 am
[…] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial […]
December 5th, 2008 at 11:25 am
[…] swirled around the Twitterverse yesterday that Facebook had been hacked. McAfee Avert Labs Blog says that while Facebook has not been hacked, it does have a virus spreading across its millions of […]
December 5th, 2008 at 12:10 pm
[…] order to view the video. The download, flash_player.exe is actually the virus. According to the McAfee Security Blog the virus prompts a downloaded service to load on startup and “listens on TCP port 9090 and […]
December 5th, 2008 at 12:43 pm
[…] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. […]
December 5th, 2008 at 12:48 pm
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 1:20 pm
[…] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. […]
December 5th, 2008 at 2:03 pm
[…] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial en […]
December 5th, 2008 at 2:22 pm
[…] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. […]
December 5th, 2008 at 5:27 pm
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 5th, 2008 at 6:29 pm
[…] Silahkan baca lebih lanjut mengenai virus yang beredar di Facebook dari suhunya anti virus Koobface remains active on Facebook […]
December 5th, 2008 at 9:23 pm
[…] Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites. […]
December 5th, 2008 at 9:50 pm
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 6th, 2008 at 1:22 am
[…] el blog de McAfee Avert Labs aclaraban que no se trata de un ataque de hackers sino de un virus que se propaga hacia los millones de usuarios de la red […]
December 6th, 2008 at 3:59 am
[…] Keep in mind that there is a virus running around in Facebook called the Koobface Virus. It can be in a video that you are encouraged to download into your computer to watch. The subject line on the message will include, “You look so funny on our new video” or something similar. As always, it’s best to check with your Facebook friend before downloading anything. But the best advice remains never to open unexpected e-mail attachments to reduce the risk of infection, even if they come from people you trust. http://www.avertlabs.com/research/blog/index.php/2008/12/03/koobface-remains-active-on-facebook/ […]
December 6th, 2008 at 8:21 am
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 6th, 2008 at 8:25 am
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 6th, 2008 at 9:58 am
Will the EXE still install in XP Home even if the user is other than an admin (that is, a “limited”) user? Thank you in advance for your assistance!
December 6th, 2008 at 2:25 pm
[…] will skip the writeup of this virus as it has already been covered pretty well over at wired, avert labs and SANS. This is a good time to mention that we can now add facebook to “the things I hate […]
December 6th, 2008 at 3:28 pm
[…] advised on December 3, 2008 that Koobface is still very active on Facebook. This virus will generally hide behind an error message that your […]
December 7th, 2008 at 3:04 am
[…] A powerful new variant of the Koobface worm hits Facebook. […]
December 7th, 2008 at 4:39 am
[…] di sini dan di sini untuk sumber […]
December 7th, 2008 at 6:58 am
[…] Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites. […]
December 7th, 2008 at 1:19 pm
[…] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 8th, 2008 at 4:42 am
[…] blog di McAfee si ha la conferma che Facebook è sotto attacco di Koobface ma che si sta gi lavorando […]
December 8th, 2008 at 4:44 pm
[…] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links […]
December 8th, 2008 at 11:25 pm
[…] isn’t an update to Flash, but rather a worm that steals passwords and account information. McAfee’s Avert Labs has a good piece of advice that everyone should follow to stay safe on the web: Do not follow any […]
December 9th, 2008 at 7:32 am
[…] Facebook’s advice for dealing with the worm can be found here. The social networking utility is in the process of purging spammed links to the malware from its systems, reports McAfee, which has a full write-up of the threat here. […]
December 9th, 2008 at 9:13 am
[…] has nasty consequences, says Craig Schmugar of security company McAfee. The worm channels any web traffic, listening for search requests to the […]
December 9th, 2008 at 2:26 pm
[…] for the installation, the Koobface worm is instead downloaded.That has nasty consequences, says Craig Schmugar of security company McAfee. The worm channels any web traffic, listening for search requests to the […]
December 10th, 2008 at 9:28 am
[…] Source […]
December 11th, 2008 at 7:18 pm
[…] of a previous campaign — is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another […]
December 12th, 2008 at 9:57 pm
[…] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click […]
December 14th, 2008 at 11:16 pm
[…] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click […]
December 18th, 2008 at 6:47 pm
[…] For more in depth article on the Koobface worm from McAfee labs […]
December 20th, 2008 at 7:12 pm
[…] writers of the Koobface worm that propagates on social networking websites have just released a new variant that is able to trick the security filters enforced by Facebook. In order to achieve this, the new […]
December 31st, 2008 at 6:06 pm
[…] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. […]
January 1st, 2009 at 10:49 pm
[…] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click […]
January 7th, 2009 at 1:43 am
[…] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click […]