More Koobface URLs Plague Users

McAfee Labs researchers have seen a noticeable spike in URLs leading to Koobface malware. (Koobface is an anagram of Facebook.) The latest, unexpected Koobface campaign spreads by tricking Facebook users into downloading and running links with the following characteristic:

URL format: <Domain/variable/setup.exe>

All of these have been found in the same MD5: 9cac65b88d2288fb16f8a356c3563604.

Koobface malware, since its first appearance in 2008, has continued to arise intermittently with multiple variants that speed through the popular social networking site. The malicious code can hide in video clips, and most users are prompted to install a new version of Adobe Flash player; but the upgrade is actually a copy of the Koobface worm. Koobface also attempts to download itself using a mixture of files and extensions such as Domain/variable/Flash__Player.exe or Domain/view/console=yes/setup.exe.

Koobface sends false messages and comments to the victim’s friends, redirects them to a malicious website, and tries to steal log-in credentials to spread itself. In some cases after the worm downloads and local files are modified, victims cannot run most programs. Watch this space for more information and further details of Koobface hijacking in a blog by my colleague Craig Schmugar. [Update: You'll find that blog here.]

Don’t open messages or click on links from sources that you do not trust. Here’s an example of how McAfee SiteAdvisor technology and the McAfee TrustedSource™ reputation system protect users and make their browsing safer.