RSS Alerts

Share

More services

Related Links

  • ESET
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Now Koobface creates its own malicious web pages
    Koobface - the long-running worm which first appeared 12 months ago - is being customised by hackers to crack security systems on website hosting services, and so allow it to auto-create its own web pages.
  • Trend Micro warns that Koobface abuses Google Reader
    Trend Micro has uncovered that the Koobface botnet is now abusing Google Reader, the web-based data aggregation service, routing internet users to infected websites via seemingly innocent Youtube videos.
  • 575 variants of Koobface detected during June says Kaspersky Lab
    Researchers with Russian IT security vendor Kaspersky Lab say they detected 575 new variants of the Koobface worm during June.
  • Anti-virus: a technology update
    Anti-virus software might be the archetypal security product, but with so many high-profile malware attacks – including Stuxnet and Zeus – is it doing its job? Kevin Townsend investigates whether anti-virus software is still relevant
  • Koobface rises again - this time it's a Christmas greeting
    Reports are coming in of a new variant of the Koobface worm doing the rounds of PCs connected to the internet. This latest variation of the long-running criminal-driven malware uses a Christmas greeting to spread infections via the Facebook social networking portal.

Top 5 Stories

News

Koobface makes (another) comeback

08 April 2010

According to Harley, who is a director of malware intelligence with ESET, Koobface's latest attack modus operandi is that it only infects users the first time the victim accesses the site.

According to Harley, who is a director of malware intelligence with ESET, Koobface's latest attack modus operandi is that it only infects users the first time the victim accesses the site.

Subsequent attempts generate what looks like a 404 error (page not found) and, says Harley, attackers do this to hamper the work of security researchers, so that it becomes more difficult to analyse subsequent differing versions of the malicious code.

Koobface, which was was first detected in late 2008, propagates by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected.

Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what purports to be an update of the Adobe Flash player, but is actually the malware.

Harley reports that, in this latest campaign, the Koobface worm spreads across social networks by way of messages claiming to be about hidden cameras showing erotic encounters via an internet connection.

"A message is sent from the infected machine to each of the owner's contacts and the link redirects to websites called 'video posted by – hidden camera.' A pop-up at this site tells the user that he needs to download what is supposed to be a video codec, in order to look at the video", said Harley in a security blog posting.

"As you can guess, the offered file isn't any sort of Flash codec, but the Koobface executable. If the user downloads and runs it, his system will become infected", he added.

Harley reports that ESET's research labs in Latin America have found and analysed over 100 IP addresses where users whose systems are already affected are responsible for the spread of this malware.

It is, he says, "very important" to prevent infection, not only because of the risk to your own system but because of the risk to others.

"Don't trust any messages of this type that turn up in social network messaging services like Facebook. Be on the look-out for deceptive social engineering and keep your antivirus software properly updated", he said.

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012