Koobface remains active on Facebook
Wednesday December 3, 2008 at 1:10 pm CST
Posted by Craig Schmugar
A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook. Users reported receiving spam messages, such as:
When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date. Next the user is prompted to download/open flash_player.exe, a new Koobface variant.
If the user choose to install the executable, a fake error message is displayed.
Facebook is already aware of this threat and is purging the spammed links from their system. But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better. It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms. The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know. Only in this context, it must be expanded to the following:
| Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know. It’s best to ask for confirmation from the sender; that they intentionally sent such a link. |
| On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website. |
The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.
As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup. This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results. Search terms are directed to find-www.net. This enables ad hijacking and click fraud.
December 4th, 2008 at 01:54
Nice article. I guess the same could be found on Flickr ?
December 4th, 2008 at 15:07
Thanks for the info!
December 5th, 2008 at 03:50
[...] per rimuovere il virus. Da McAfee, invece, che aveva reso noto il pericolo mercoledi sul proprio blog, fanno sapere che ancora non si conosce chi abbia progettato il virus. Probabilmente chi c’è [...]
December 5th, 2008 at 04:57
[...] More information and screenshots can be found here. [...]
December 5th, 2008 at 05:08
[...] με τo επίσημο Blog της Mcafee, μια νέα μετάλλαξη του ιού (worm συγκεκριμένα) Koobface ο [...]
December 5th, 2008 at 05:32
[...] More information and screenshots can be found here. [...]
December 5th, 2008 at 05:41
[...] More information and screenshots can be found here. [...]
December 5th, 2008 at 06:08
[...] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial en [...]
December 5th, 2008 at 06:27
[...] More information and screenshots can be found here. [...]
December 5th, 2008 at 07:21
If you happened to click on that link on facebook, you need to go to Internet Explorer, Internet Options, Connections, and uncheck the LAN settings.
This virus changes that and starts routing you to other websites.
Hope that helps, it fixed the problem after I unchecked it, and ran Walwarebytes.
December 5th, 2008 at 07:22
Thank you for this information.
I wondered how I had downloadd this bug and after reading this, I even remeber the day.
It is exactly as you described.
I hope others can take warning and not end up with the expense I have – and it’s still not really gone!
December 5th, 2008 at 08:17
[...] 。さらに詳しい情 とスクリーンショットがここに。(画像はMaximumPCの好意による)CrunchBase InformationFacebookInformation provided by [...]
December 5th, 2008 at 08:22
Thanks for the information. I will be careful if I find anything like that on FaceBook.
December 5th, 2008 at 08:28
Hi U- No, the list of websites currently being wormed/attacked originally were published here. Flickr is not listed:
http://blog.threatfire.com/2008/12/koobface-on-loose-as-flashupdateexe.html
December 5th, 2008 at 08:28
[quote]
Nice article. I guess the same could be found on Flickr ?
[/quote]
This can be found on any social networking site! Such as flickr, bebo, tagged, myyearbook, youtube, imeem and many more.
Myspace already been hacked…
December 5th, 2008 at 08:29
Also, great cleanup instructions here:
http://tonysgeektips.wordpress.com/2008/12/04/update-on-koobface-virus/
December 5th, 2008 at 08:50
[...] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 09:20
[...] grab sensitive data off your PC like credit card numbers. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 09:36
[...] Les explications chez McAfee. [...]
December 5th, 2008 at 09:37
[...] the avertlabs page on the trojan we get that This component listens on TCP port 9090 and proxies all HTTP traffic, in particular [...]
December 5th, 2008 at 09:52
well what do we do if we have already clicked on this unexpected virus? How can we specifically locate it and completely eliminate it?
December 5th, 2008 at 09:52
[...] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. [...]
December 5th, 2008 at 10:07
[...] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 10:23
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 11:10
[...] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial [...]
December 5th, 2008 at 11:25
[...] swirled around the Twitterverse yesterday that Facebook had been hacked. McAfee Avert Labs Blog says that while Facebook has not been hacked, it does have a virus spreading across its millions of [...]
December 5th, 2008 at 12:10
[...] order to view the video. The download, flash_player.exe is actually the virus. According to the McAfee Security Blog the virus prompts a downloaded service to load on startup and “listens on TCP port 9090 and [...]
December 5th, 2008 at 12:43
[...] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. [...]
December 5th, 2008 at 12:48
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 13:20
[...] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. [...]
December 5th, 2008 at 14:03
[...] explica McAfee en su blog, los usuarios reciben un mensaje de spam desde uno de sus amigos con el asunto “Sales genial en [...]
December 5th, 2008 at 14:22
[...] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. [...]
December 5th, 2008 at 17:27
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 5th, 2008 at 18:29
[...] Silahkan baca lebih lanjut mengenai virus yang beredar di Facebook dari suhunya anti virus Koobface remains active on Facebook [...]
December 5th, 2008 at 21:23
[...] Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites. [...]
December 5th, 2008 at 21:50
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 6th, 2008 at 01:22
[...] el blog de McAfee Avert Labs aclaraban que no se trata de un ataque de hackers sino de un virus que se propaga hacia los millones de usuarios de la red [...]
December 6th, 2008 at 03:59
[...] Keep in mind that there is a virus running around in Facebook called the Koobface Virus. It can be in a video that you are encouraged to download into your computer to watch. The subject line on the message will include, “You look so funny on our new video” or something similar. As always, it’s best to check with your Facebook friend before downloading anything. But the best advice remains never to open unexpected e-mail attachments to reduce the risk of infection, even if they come from people you trust. http://www.avertlabs.com/research/blog/index.php/2008/12/03/koobface-remains-active-on-facebook/ [...]
December 6th, 2008 at 08:21
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 6th, 2008 at 08:25
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 6th, 2008 at 09:58
Will the EXE still install in XP Home even if the user is other than an admin (that is, a “limited”) user? Thank you in advance for your assistance!
December 6th, 2008 at 14:25
[...] will skip the writeup of this virus as it has already been covered pretty well over at wired, avert labs and SANS. This is a good time to mention that we can now add facebook to “the things I hate [...]
December 6th, 2008 at 15:28
[...] advised on December 3, 2008 that Koobface is still very active on Facebook. This virus will generally hide behind an error message that your [...]
December 7th, 2008 at 03:04
[...] A powerful new variant of the Koobface worm hits Facebook. [...]
December 7th, 2008 at 04:39
[...] di sini dan di sini untuk sumber [...]
December 7th, 2008 at 06:58
[...] Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites. [...]
December 7th, 2008 at 13:19
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 8th, 2008 at 04:42
[...] blog di McAfee si ha la conferma che Facebook è sotto attacco di Koobface ma che si sta gi lavorando [...]
December 8th, 2008 at 16:44
[...] virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
December 8th, 2008 at 23:25
[...] isn’t an update to Flash, but rather a worm that steals passwords and account information. McAfee’s Avert Labs has a good piece of advice that everyone should follow to stay safe on the web: Do not follow any [...]
December 9th, 2008 at 07:32
[...] Facebook’s advice for dealing with the worm can be found here. The social networking utility is in the process of purging spammed links to the malware from its systems, reports McAfee, which has a full write-up of the threat here. [...]
December 9th, 2008 at 09:13
[...] has nasty consequences, says Craig Schmugar of security company McAfee. The worm channels any web traffic, listening for search requests to the [...]
December 9th, 2008 at 14:26
[...] for the installation, the Koobface worm is instead downloaded.That has nasty consequences, says Craig Schmugar of security company McAfee. The worm channels any web traffic, listening for search requests to the [...]
December 10th, 2008 at 09:28
[...] Source [...]
December 11th, 2008 at 19:18
[...] of a previous campaign — is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another [...]
December 12th, 2008 at 21:57
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
December 14th, 2008 at 23:16
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
December 18th, 2008 at 18:47
[...] For more in depth article on the Koobface worm from McAfee labs [...]
December 20th, 2008 at 19:12
[...] writers of the Koobface worm that propagates on social networking websites have just released a new variant that is able to trick the security filters enforced by Facebook. In order to achieve this, the new [...]
December 31st, 2008 at 18:06
[...] The McAfee Security Blog explains that when “Koobface” infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. [...]
January 1st, 2009 at 22:49
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
January 7th, 2009 at 01:43
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
January 10th, 2009 at 08:10
[...] Last December, we saw the Koobface trojan that spreads through social network news feed messages, prompting users to download what they think is an update to the Adobe Flash player but is really malware. [...]
January 11th, 2009 at 15:10
[...] I’ve been seeing on my newsfeed are any indication, it’s a pain to undo the damage. The McAfee security blog explains the motivation for the malware: As for the motivations behind this Koobface variant, analysis shows [...]
January 14th, 2009 at 13:37
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
January 20th, 2009 at 18:05
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
January 23rd, 2009 at 07:02
[…] Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites. […]
January 26th, 2009 at 17:49
Wow – Just now I got sent to a similar link through Youtube.
It had the exact same comments below the video.
Thank goodness I didn’t “download” what it told me to.
February 6th, 2009 at 04:28
[…] 。さらに詳しい情� �とスクリーンショットがここに。(画像はMaximumPCの好意による)CrunchBase InformationFacebookInformation provided by […]
February 17th, 2009 at 08:03
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
February 18th, 2009 at 07:21
[...] McAfee warns of a new worm that’s being passed around on Facebook. You’ll get an e-mail from a friend that says something along the lines of “You look just awesome in this new movie.” When you click the link to play the video, you’ll be prompted to download “flash_player.exe,” which is actually a worm called Koobface. Its purpose: to steer your searches from sites like Google and Yahoo to other sites, and to send spam to your Facebook friends. [...]
February 25th, 2009 at 10:06
[...] of a previous campaign — is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another [...]
March 2nd, 2009 at 17:30
[...] that) then some gmail page extension. Now look at the issue with Facebook. Check this link here: Computer Security Research – McAfee Avert Labs Blog Notice the address when you click on the link. Actually, if you are on these networking sites, go [...]
March 3rd, 2009 at 07:32
So are Linux systems susceptible to this virus? Tnx, Dave
March 3rd, 2009 at 09:05
You might be interested in this account
http://www.vancouversun.com/business/Poisoned+sites+lure+surfers/1339679/story.html
of an experience we had here with a poisoned Google hit. I passed the details
to the major newspaper here and after doing my own research passed that along
as well. This resulted in the account you see in the link above.
If for some reason the link is truncated, the Google search terms (in the news
section) “poisoned sites” will lead you to this story.
At the time I put the details together I was unaware of your own work.
March 3rd, 2009 at 10:15
Koobface affects Windows systems, not Linux.
March 4th, 2009 at 03:36
I use facebook but till I not get any message of this kind and if I will get any message of this kind I will ignore that.
March 4th, 2009 at 03:57
ok, so i think the big question is how do we fix this?!
March 4th, 2009 at 08:53
Thanks Craig… Dave
March 4th, 2009 at 18:54
[...] anda pengguna facebook, hati-hati dengan muncul virus facebook dengan nama Koobface, virus koobface menggunakan private message di facebook dengan mengirimkan video yang berisi virus, [...]
April 17th, 2009 at 07:02
[...] has nasty consequences, says Craig Schmugar of security company McAfee. The worm channels any web traffic, listening for search requests to the [...]
June 23rd, 2009 at 09:38
[...] Trackback With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams. [...]
June 24th, 2009 at 05:27
[...] Sex the Bait in Mass Orkut Compromise By Webmaster on June 24th, 2009 tweetmeme_url = ‘http://startfacebook.com/sex-the-bait-in-mass-orkut-compromise/’;tweetmeme_source = ’startfacebook’; 5 With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams. [...]
June 24th, 2009 at 13:06
[...] information and screenshots can be found here.” Leave a Reply Click here to cancel [...]
June 26th, 2009 at 00:13
[...] among other things. “Search terms are directed to find-www.net,” said McAfee’s Craig Schmugar, and that “enables ad hijacking and click [...]
September 1st, 2009 at 06:26
[...] When searching on Google users will get redirected to other malicious websites, as McAfee’s Craig Schmugar said that this new variant of Koobface installs "a proxy server is installed to [...]
September 22nd, 2009 at 05:50
Does it help to have WOT? That’s what I have and it helps me to know what sites have a bad reputation. Should more people know about it ? Or does it matter ?
September 22nd, 2009 at 05:55
[...] in December, the worm manifested as Facebook spam messages with video links. Once clicked, viewers were prompted to download Trojan malware disguised [...]
October 12th, 2009 at 13:45
[...] less internet-savvy users for virus creators to prey on. The virus watchdog blog for McAfee labs reports that Facebook is aware of the Koobface attack and is already working to remove the spammed links [...]
October 23rd, 2009 at 10:22
I got one today from a Corey, Cindarella with no subject line but the message starts out “My computer won’t let me open this, what is it?”…. I deleted the email before opening it. But there is no Corey, Cindarella on my friends list and I actually couldn’t find one on Facebook at all —
December 12th, 2009 at 04:08
[...] With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams. [...]
December 18th, 2009 at 16:55
I did click the link and sent it out to most of my friend list. Fortunately, I caught it and my computer was not affected (thus far). My FB account, however continues to randomly send out the message desptie changing the password and email.
March 30th, 2010 at 14:36
thanks for the reminder. i will be a lot more careful and not open up a virus at all.
April 11th, 2010 at 17:58
It is hitting facebook hard now, I have been receiving these for the last 4 days non stop. my computer would not gop to the web site, it said it was spam. so I did not click on anything in the site. srtill worries me, as I am getting these daily, and just now found out what it is,
August 8th, 2010 at 10:42
You can find this kind of thing on any network, Facebook is just a popular target due to it’s traffic and non tech savvy userbase. Facebook should really try to help promote the safety of their users.