About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Koobface remains active on Facebook

Wednesday, December 3, 2008 at 1:10pm by Craig Schmugar
Craig Schmugar

A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook.  Users reported receiving spam messages, such as:

When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.  Next the user is prompted to download/open flash_player.exe, a new Koobface variant.

If the user choose to install the executable, a fake error message is displayed.

Facebook is already aware of this threat and is purging the spammed links from their system.  But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better.  It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms.  The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know.  Only in this context, it must be expanded to the following:

Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know.  It’s best to ask for confirmation from the sender; that they intentionally sent such a link.
 
On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website.

The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.

As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.   This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results.  Search terms are directed to find-www.net.  This enables ad hijacking and click fraud.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Older Comments

Comments (30)

  • Dammit August 31, 2011 12:25PM

    Got this virus, and it’s so annoying. >:(

    Reply
  • Lana August 23, 2011 2:22PM

    Hi,
    I’ve received it :( :( . Wasn’t aware of it. No no anti-virus finds it… The FB doesn’t open or it says that it won’t open browser can’t establish secure connection to the server. I don’t know what else to do? Has any other had similar problem or have the idea how to settle it?
    Thank you very much!!!

    Reply
  • Justin December 30, 2010 6:50PM

    I have received at least six of emails saying”You will not believe what this man did!” from someone not even on my friends list,or any of Facebook for that matter,but if you see it,DO NOT OPEN IT,because it may be a variant of the Koobface virus

    Reply
  • Nancy December 15, 2010 11:20AM

    Okay, so my other computer got the Koobface virus, but my virus scanner found it and deleted and /or quaratined them, and I changed my password and all that. This morning that computer will not boot up, it starts to turn on, but never finishes the boot up, just becomes a black screen. Now what do we do?

    Reply
  • Andrea Harman-Mondea November 6, 2010 1:27PM

    11-6-2010 4:23pm

    I just received 2 messages from a friend in the Messages section of my Facebook page. The subject lines read, “Somebody upload a video with you on utube, should see.” and “Yes! your ass got caught as well.” I deleted these, but it seems that Koobface or a variant is still alive and well, as you at Scopes have reported!

    Reply
  • How to Hack Facebook August 8, 2010 10:42AM

    You can find this kind of thing on any network, Facebook is just a popular target due to it’s traffic and non tech savvy userbase. Facebook should really try to help promote the safety of their users.

    Reply
  • Cathy Wilson April 11, 2010 5:58PM

    It is hitting facebook hard now, I have been receiving these for the last 4 days non stop. my computer would not gop to the web site, it said it was spam. so I did not click on anything in the site. srtill worries me, as I am getting these daily, and just now found out what it is,

    Reply
  • Douglas Eugene Morris March 30, 2010 2:36PM

    thanks for the reminder. i will be a lot more careful and not open up a virus at all.

    Reply
  • Tracey December 18, 2009 4:55PM

    I did click the link and sent it out to most of my friend list. Fortunately, I caught it and my computer was not affected (thus far). My FB account, however continues to randomly send out the message desptie changing the password and email.

    Reply
  • Connie Adams October 23, 2009 10:22AM

    I got one today from a Corey, Cindarella with no subject line but the message starts out “My computer won’t let me open this, what is it?”…. I deleted the email before opening it. But there is no Corey, Cindarella on my friends list and I actually couldn’t find one on Facebook at all —

    Reply
    • « Older Comments