Koobface is Back!

Well, well, well… “IT” IS BACK! And by “IT” I mean Koobface.

Recently, McAfee released its Threat Report: First Quarter 2013. The Report shows a steady growth in mobile malware; increase in general malware (including Koobface) and spam.

Koobface is coming back with vengeance! According to McAfee Labs, there were almost three times as many samples of Koobface as there were in the 4th Quarter of 2012.

Koobface was originally discovered in 2008 and was at its peak in 2009-2010 and then, it got quiter. “The resurrection of Koobface reminds us that social networks continue to present a substantial opportunity for intercepting personal information,” said Vincent Weafer, senior vice president, McAfee Labs.

What is Koobface?

Koobface (anagram of Facebook) is a very sophisticated worm, which can distribute itself in various ways. Koobface sometimes is referred to as “Facebook virus”, because, at first, it was targeting only Facebook users. Now, it is targeting various social networking sites.

The ultimate goal of Koobface is to gather sensitive information such as credit card numbers, passwords, banking information, and any other social networking site login information. It also turns the infected computer into a zombie computer to form a botnet, meaning that it will send itself via email to all of your contacts saved in your address book. It may also start automatically posting comments on your Facebook friends’ profiles with the links to the video.

When your system gets infected with Koobface, it may be infected by other malicious software as well. According to the report by TrendMicro, it seems that the Koobface is monetizing itself by implementing a pay-per-install model. Other malware groups pay the Koobface group to install their own malicious software to the Koobface-infected systems.

How Koobface distributes itself

  • You may get an email from your Facebook friend, which will ask you to open and watch a video either by downloading a file or by following a link. Once you do, Koobface quietly downloads itself in the background. Then it sends similar messages to all of your Facebook friends.
  • You may click on a link to a “video” with some absurd title and a fake thumbnail posted on one of your Facebook friend’s wall. This link will take you to a third-party website that may look like a genuine video sharing site such as YouTube. Then, you will prompted to upgrade your Adobe’s Flash Player by downloading an executable file, which is just a download link for this worm.
  • Another Koobface component can register a new Facebook account, confirm an email address in Gmail in order to active the newly registered Facebook account. It will randomly join groups, add new friends and make posts on Facebook friends’ walls. Not only that, those accounts are very well designed and even have photos, favorite songs, books and interests listed on the profile.
  •  Another variant of Koobface can set up fake blogs and populate it with the links to the latest news through Google news feeds. Those blogs contain the script that will redirect the user to a malicious site that tries to install the worm.


I wrote about Koobface back in 2009 after my friend accidentally downloaded this worm, which delivered a suite of other malware.  You may revisit that post again for more information.  Also, Symantec has posted more detailed information about Koobface along with the removal instructions.


About the Author

Lana is a real life Identity Theft Victim. Identity Theft Manifesto is a result of her own struggles to clear her credit, her name and reputation. She is on the mission to research, learn more and educate her readers about ID Theft Crime.