Koobface

Last updated

Koobface
Alias
Type Computer worm
Subtype Malware
OriginRussia

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. [1] [2] [3] This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, [4] and it can infect other devices on the same local network. [5] Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs. [6] [7] [8]

Contents

Infection

Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well. [9] It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. [10] The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet. [11] It was first detected in December 2008 and a more potent version appeared in March 2009. [12] A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University of Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010. [9]

Koobface originally spread by delivering Facebook messages to people who are "friends" of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.

Several variants of the worm have been identified:

In January 2012, the New York Times reported [20] that Facebook was planning to share information about the Koobface gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer [21] and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research [22] were said to have helped uncover the identities of those responsible.

Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in St. Petersburg, Russia. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader. [23] The investigation also connected Avdeyko with CoolWebSearch spyware. [21]

Hoax warnings

The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait. [24] [25]

Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false. [24]

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm Worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo. It affects computers running Microsoft Windows.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

Dorkbot is a family of malware worms that spreads through instant messaging, USB drives, websites or social media channels like Facebook. It originated in 2015 and infected systems were variously used to send spam, participate in DDoS attacks, or harvest users' credentials.

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Brambul is an SMB protocol computer worm that decrypts and automatically moves from one computer to its second computer.

References

  1. Lucian Constantin (28 October 2010). "New Koobface Variant Infects Linux Systems". softpedia. Retrieved 3 February 2015.
  2. Lucian Constantin (30 October 2010). "Linux Java-Based Trojan Might Have Been an Accident". softpedia. Retrieved 3 February 2015.
  3. "More Information About the Koobface Trojan Horse for Mac". The Mac Security Blog. 29 October 2010. Retrieved 20 January 2012.
  4. "US-CERT Malicious Code Targeting Social Networking Site Users, added March 4, 2009, at 11:53 am". Archived from the original on 12 May 2009. Retrieved 18 June 2009.
  5. "Twitter Status - Koobface malware attack". twitter.com. Retrieved 3 February 2015.
  6. Marks, Ellen (7 June 2015). "Fake tech support warning targets Apple users". Albuquerque Journal.
  7. Ricca, Aaron (6 April 2016). "Warnings are out there, but people keep falling for scams". The Kingman Daily Miner. Archived from the original on 9 April 2016.
  8. Jensen, Dreama (26 February 2016). "Woman almost falls for computer scam". South Bend Tribune.
  9. 1 2 Koobface: Inside a Crimeware Network Archived 2012-09-14 at the Wayback Machine
  10. "What Is the Koobface Virus?". www.kaspersky.com. 13 January 2021. Retrieved 21 November 2021.
  11. "W32.Koobface". Symantec . Archived from the original on 9 December 2008. Retrieved 3 February 2015.
  12. Keizer, Gregg (2 March 2009). "Koobface worm to users: Be my Facebook friend". Computerworld. Retrieved 31 August 2009.
  13. "Worm:Win32/Koobface.gen!F". microsoft.com. Microsoft. Retrieved 3 February 2015.
  14. "Koobface malware distribution technique - automatic user account creation on FaceBook, Twitter, BlogSpot and others". Archived from the original on 28 March 2010. Retrieved 12 August 2009.
  15. "WORM_KOOBFACE". trendmicro.com. Retrieved 3 February 2015.
  16. "Sophos stops new version of Koobface social networking worm". Naked Security. Retrieved 3 February 2015.
  17. The Allure of Social Networking, describes Win32/Koobface affecting multiple social networks as described on CA's Security Advisor Research blog Archived 2011-07-22 at the Wayback Machine
  18. "W32.Koobface.D". Symantec . Archived from the original on 15 August 2009. Retrieved 3 February 2015.
  19. "Intego Security Memo: Trojan Horse OSX/Koobface.A Affects Mac OS X Mac – Koobface Variant Spreads via Facebook, Twitter and More - The Mac Security Blog". The Mac Security Blog. 27 October 2010. Retrieved 3 February 2015.
  20. Web Gang Operating in the Open
  21. 1 2 "The Koobface malware gang – exposed! - Naked Security". Naked Security. 12 January 2012. Retrieved 3 February 2015.
  22. "Facebook credits UAB with stopping international cyber criminals, donates $250,000 to school". AL.com. 22 October 2012. Retrieved 3 February 2015.
  23. Protalinski, Emil (17 January 2012). "Facebook exposes hackers behind Koobface worm". ZDNet. Archived from the original on 19 January 2012. Retrieved 20 January 2012.
  24. 1 2 Koobface - What is it Really? article at ThatsNonsense.com, Retrieved on 26 January 2011
  25. Koobface article at snopes.com website, Retrieved on 30 December 2010