Koobface Going for Broke?

The Koobface worm has been one of the top malicious threats to Facebook users since 2008. Like most threats, Koobface has morphed over time, adding and changing malicious payloads, while maintaining the ability to propagate, or spread, from one system to another.

A common misconception is that viruses often delete files or cause irrevocable system damage. There certainly are a number of viruses in this category, but the majority aim to go unnoticed. A damaged system is unable to spread the virus to other victims, while a quietly infected system can be used indefinitely to spread the virus. Furthermore, systems that show obvious signs of infection are more likely to result in the owners’ seeking remediation.

Historically Koobface has varied, sometimes installing password-stealing malware in the background and other times prompting users to enter CAPTCHAs.

Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems. Since then the authors have taken a giant leap toward invasiveness with the installation of a fake anti-virus Trojan.

About 10 minutes after the initial infection, users may see the typically fake scanning windows and infection alerts:

It’s all downhill from here. The Trojan acts as an HTTP proxy and configures Internet Explorer to route HTTP requests through that proxy, which blocks access to everything but the site to purchase the fake AV software and a handful of porn sites. This payload even blocks another component of Koobface that is designed to display pop-ups and redirect search result links, leaving the user with Koobface created pop-ups that display fake error messages.

The malware also blocks almost every executable from running, making the system pretty much useless for most users.

It’s unclear how this self-competing threat came about, but the crippling payload is delivered from the same domains as the other Koobface components. Perhaps the gang is going for one last big payoff, trying to get as many users as possible to pay $49.95-$69.95 to register “AV Security Suite.” It’s more likely, however, that the Koobface gang has such confidence in their ability to infect new users that they aren’t worried about leveraging the current infection base to propagate their threats.

The vast majority of Koobface infections come from users who “choose” to run the virus. They are tricked by the social engineering used by the authors, who prey on people’s curiosity and thirst to view some enticing video.