Koobface

Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.[http://www.infowar-monitor.net/reports/iwm-koobface.pdf Koobface: Inside a Crimeware Network] {{webarchive|url=https://web.archive.org/web/20120914015420/http://www.infowar-monitor.net/reports/iwm-koobface.pdf |date=2012-09-14 }} It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion.{{cite web |title=What Is the Koobface Virus? |website=kaspersky.com |date=2017-10-25 |url=https://www.kaspersky.com/resource-center/definitions/what-is-the-koobface-virus |archive-url=http://web.archive.org/web/20200611205524/https://www.kaspersky.com/resource-center/definitions/what-is-the-koobface-virus |archive-date=2020-06-11 |url-status=live |access-date=2025-01-14}} The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.{{cite web|url=http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99|archive-url=https://web.archive.org/web/20081209011116/http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99|url-status=dead|archive-date=9 December 2008|title=W32.Koobface|work=Symantec|access-date=3 February 2015}}

It was first detected in December 2008 and a more potent version appeared in March 2009.{{cite web|url=http://www.computerworld.com/s/article/9128842/Koobface_worm_to_users_Be_my_Facebook_friend?intsrc=news_ts_head|title=Koobface worm to users: Be my Facebook friend|last=Keizer |first=Gregg |date=March 2, 2009|publisher=Computerworld|access-date=2009-08-31}} A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University of Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.

Koobface originally spread primarily via social media sites and social engineering tactics such as by delivering Facebook messages to people who are "friends" of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.

Several variants of the worm have been identified:

• Worm:Win32/Koobface.gen!F{{cite web|url=http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm:Win32/Koobface.gen!F&threatid=2147631531|title=Worm:Win32/Koobface.gen!F|publisher=Microsoft|work=microsoft.com|access-date=3 February 2015}}
• Net-Worm.Win32.Koobface.a, which attacks MySpace
• Net-Worm.Win32.Koobface.b, which attacks Facebook{{Cite web |url=http://www.finjan.com/MCRCblog.aspx?EntryId=2317 |title=Koobface malware distribution technique – automatic user account creation on FaceBook, Twitter, BlogSpot and others |access-date=2009-08-12 |archive-url=https://web.archive.org/web/20100328072623/http://www.finjan.com/MCRCblog.aspx?EntryId=2317 |archive-date=2010-03-28 |url-status=dead }}
• WORM_KOOBFACE.DC, which attacks Twitter{{cite web|url=http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KOOBFACE.DC|title=WORM_KOOBFACE|work=trendmicro.com|access-date=3 February 2015}}
• W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar{{cite web|url=http://www.sophos.com/blogs/gc/g/2009/03/02/sophos-stops-new-version-of-koobface-worm/|title=Sophos stops new version of Koobface social networking worm|work=Naked Security|access-date=3 February 2015}}[http://community.ca.com/blogs/securityadvisor/archive/2009/05/31/the-allure-of-social-networking.aspx The Allure of Social Networking, describes Win32/Koobface affecting multiple social networks as described on CA's Security Advisor Research blog] {{webarchive|url=https://web.archive.org/web/20110722131124/http://community.ca.com/blogs/securityadvisor/archive/2009/05/31/the-allure-of-social-networking.aspx |date=2011-07-22 }}
• W32.Koobface.D{{cite web|url=http://www.symantec.com/security_response/writeup.jsp?docid=2009-080717-5930-99|archive-url=https://web.archive.org/web/20090815104342/http://www.symantec.com/security_response/writeup.jsp?docid=2009-080717-5930-99|url-status=dead|archive-date=15 August 2009|title=W32.Koobface.D|work=Symantec|access-date=3 February 2015}}
• OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter.{{cite web|url=http://blog.intego.com/intego-security-memo-trojan-horse-osxkoobface-a-affects-mac-os-x-mac-koobface-variant-spreads-via-facebook-twitter-and-more/|title=Intego Security Memo: Trojan Horse OSX/Koobface.A Affects Mac OS X Mac – Koobface Variant Spreads via Facebook, Twitter and More – The Mac Security Blog|work=The Mac Security Blog|date=27 October 2010 |access-date=3 February 2015}}

In January 2012, The New York Times reported[https://www.nytimes.com/2012/01/17/technology/koobface-gang-uses-facebook-to-spread-powerful-worm.html Web Gang Operating in the Open] that Facebook was planning to share information about the Koobface gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer{{cite web|url=http://nakedsecurity.sophos.com/koobface|title=The Koobface malware gang – exposed! – Naked Security|work=Naked Security|date=12 January 2012 |access-date=3 February 2015}} and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research{{cite web|url=http://blog.al.com/businessnews/2012/10/facebook_credits_uab_with_catc.html|title=Facebook credits UAB with stopping international cyber criminals, donates $250,000 to school|work=AL.com|date=22 October 2012 |access-date=3 February 2015}} were said to have helped uncover the identities of those responsible.

Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in St. Petersburg, Russia. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader.{{cite web|last=Protalinski|first=Emil|title=Facebook exposes hackers behind Koobface worm|url=http://www.zdnet.com/blog/facebook/facebook-exposes-hackers-behind-koobface-worm/7538|archive-url=https://web.archive.org/web/20120119025643/http://www.zdnet.com/blog/facebook/facebook-exposes-hackers-behind-koobface-worm/7538|url-status=dead|archive-date=19 January 2012|publisher=ZDNet|access-date=January 20, 2012|date=January 17, 2012}} The investigation also connected Avdeyko with CoolWebSearch spyware.

The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait.[http://www.thatsnonsense.com/viewdef.php?article=koobface_virus Koobface – What is it Really?] article at ThatsNonsense.com, Retrieved on 26 January 2011[http://www.snopes.com/computer/virus/koobface.asp Koobface] article at snopes.com website, Retrieved on 30 December 2010

Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.

• Computing Trojan horse
• Trojan.Win32.DNSChanger
• Facebook malware
• Malware analysis

{{Reflist}}

• [http://nakedsecurity.sophos.com/koobface The Koobface malware gang – exposed!], research by Jan Droemer and Dirk Kollberg.
• [http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_koobface_jul2009.pdf The Real Face of KOOBFACE], analysis by Trend Micro.
• [http://yro.slashdot.org/story/10/11/13/1732205/Researchers-Take-Down-Koobface-Servers?from=rss Researchers Take Down Koobface Servers], Slashdot article.

{{Botnets}}

{{Hacking in the 2000s}}

Category:Computer worms

Category:Facebook

Category:Myspace

Category:Trojan horses

Category:Hacking in the 2000s