Beware of Facebook Koobface Virus
It’s been reported that Koobface has infiltrated Facebook which hosts 120 million users. Originally discovered in mid-2008, members of the Koobface family spread through social networking sites.
McAfee advised on December 3, 2008 that Koobface is still very active on Facebook. This virus will generally hide behind an error message that your version of Flash is out of date. Then you get prompted to download a bogus version of Flash that is actually a tinyproxy program that will load a proxy server named Security Accounts Manager.
In the infections that Threatfire observed on December 3, 2008 at their blog:
The dropped executables, named “bolivar26.exe, bolivar28.exe” and so on, are copies of the original flash_update.exe files. A quick analysis shows them to be similar in functionality to the captcha crack scheming binaries previously observed in the wild. Also interesting is that these files are worming through and attacking other social networking sites like myspace.com, blackplanet.com, friendster.com, and bebo.com, in addition to its namesake.
ITWIre says that one of the main clues that the so-called updater was actually Koobface is a dialog that says “Error installing Codec. Please contact support.” or “Error installing Flash Update. Please contact support.”
The first time that you boot up your computer after restarting from a fake installation, Koobface will listen to traffic on TCP port 9090 and will proxy out all outgoing HTTP traffic from your computer. For example if you use Google to search for a product, you will not be taken to a legitimate site but your search will be hijacked and redirected to a malicious site.
Wired magazine says that the Koobface virus uses Facebook’s private messaging system to infect computers via a shared video. Unsuspecting users will see a video link (shared by an infected friend) with the message, “You look just awesome in this new movie.” Click the link will lead you to an outside site where you’re told that you need to download a Flash update, which is actually a virus file. Once the virus is installed, it will try to grab sensitive data off your PC, like credit card numbers. If you receive a message from a friend that has the subject line “You look just awesome in this new movie.” DO NOT CLICK ON THAT LINK!
The Journal of New England Technology reports:
“Look you were filmed all naked!” read the subject header on one iteration of the virus-spreading message, which is being sent automatically from infected accounts to the “friend” list for that account. Clicking the link usually takes users to a page that looks like YouTube, and a pop-up message advises the user to download a Flash plug-in. The download contains the virus, which replicates by contacting everyone on the victim’s Facebook friend list and advancing the hoax.
How can you protect yourself?
- Don’t click on links unless they are from a source that you trust!
- Run an updated antivirus scan on your computer.
- If you do install any software updates make sure that you are traveling to the source site and not to a bogus site. Example: You would go to www.adobe.com to update Flash and not to www.stickmewithkoobfacevirus.com
- In Facebook go to your security page to find out how to remove Koobface.
- Change your password.
- Join phishtank
If in doubt as to how to stay safe from viruses, malware, spyware, backdoors, and worms you should contact a security expert for advice.
facebook, koobface, Malware, virus, worm
No Comments