Koobface Going for Broke?
Friday July 16, 2010 at 12:40 pm CST
Posted by Craig Schmugar
The Koobface worm has been one of the top malicious threats to Facebook users since 2008. Like most threats, Koobface has morphed over time, adding and changing malicious payloads, while maintaining the ability to propagate, or spread, from one system to another.
A common misconception is that viruses often delete files or cause irrevocable system damage. There certainly are a number of viruses in this category, but the majority aim to go unnoticed. A damaged system is unable to spread the virus to other victims, while a quietly infected system can be used indefinitely to spread the virus. Furthermore, systems that show obvious signs of infection are more likely to result in the owners’ seeking remediation.
Historically Koobface has varied, sometimes installing password-stealing malware in the background and other times prompting users to enter CAPTCHAs.
Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems. Since then the authors have taken a giant leap toward invasiveness with the installation of a fake anti-virus Trojan.
About 10 minutes after the initial infection, users may see the typically fake scanning windows and infection alerts:
It’s all downhill from here. The Trojan acts as an HTTP proxy and configures Internet Explorer to route HTTP requests through that proxy, which blocks access to everything but the site to purchase the fake AV software and a handful of porn sites. This payload even blocks another component of Koobface that is designed to display pop-ups and redirect search result links, leaving the user with Koobface created pop-ups that display fake error messages.
The malware also blocks almost every executable from running, making the system pretty much useless for most users.
It’s unclear how this self-competing threat came about, but the crippling payload is delivered from the same domains as the other Koobface components. Perhaps the gang is going for one last big payoff, trying to get as many users as possible to pay $49.95-$69.95 to register “AV Security Suite.” It’s more likely, however, that the Koobface gang has such confidence in their ability to infect new users that they aren’t worried about leveraging the current infection base to propagate their threats.
The vast majority of Koobface infections come from users who “choose” to run the virus. They are tricked by the social engineering used by the authors, who prey on people’s curiosity and thirst to view some enticing video.
July 16th, 2010 at 14:17
[...] Koobface sends false messages and comments to the victim’s friends, redirects them to a malicious website, and tries to steal log-in credentials to spread itself. In some cases after the worm downloads and local files are modified, victims cannot run most programs. Watch this space for more information and further details of Koobface hijacking in a blog by my colleague Craig Schmugar. [Update: You'll find that blog here.] [...]
July 16th, 2010 at 23:29
[...] Koobface sends false messages and comments to the victim’s friends, redirects them to a malicious website, and tries to steal log-in credentials to spread itself. In some cases after the worm downloads and local files are modified, victims cannot run most programs. Watch this space for more information and further details of Koobface hijacking in a blog by my colleague Craig Schmugar. [Update: You'll find that blog here.] [...]
July 19th, 2010 at 05:39
[...] “Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems. Since then the authors have taken a giant leap toward invasiveness with the installation of a fake anti-virus Trojan,” security researchers from McAfee warn. [...]
July 25th, 2010 at 03:46
[...] AVERT LABS – Koobface Going for Broke?http://www.avertlabs.com/research/blog/index.php/2010/07/16/koobface-going-for-broke/ [...]
August 9th, 2010 at 17:22
[...] with the installation of a fake anti-virus Trojan," said Mcafee researchers. (Source: avertlabs.com) Koobface Now Tracking its Visitors The updated Koobface variant was recently discovered appearing [...]