Koobface faces off with Facebook users

Stan Beer
Sunday, 07 December 2008 04:39

Your IT - Home IT

As anti-virus vendors have been warning, notorious social networking worm Koobface has resurfaced, this time to catch hordes of unsuspecting users of Facebook. Unfortunate Facebook users who happen to be caught out may well find themselves victims of identity theft.

As reported on iTWire, warnings of the then emerging Koobface worm were first circulated by anti-virus vendors Kapersky Lab and McAfee in late July. The vendors detected two variants of Koobface - Networm.Win32.Koobface.a which targets MySpace and  Networm.Win32.Koobface.b which aims to catch Facebook users out.

It is perhaps a testament to the growing popularity of Facebook that in this iteration, the Koobface purveyors have so far ignored MySpace. Facebook, open to anyone over 13, has an estimated 120 million users, while MySpace has a similar number.

In a similar manner to which email worms are spread, Koobface is spread by infected Facebook users whose hijacked accounts send bogus messages to their friends inviting them to click on a link.

Whereas with an email worm it was common to receive a message like "check out this cool screensaver", with Koobface a Facebook user will receive a fake message from a friend tailored for a social networking context.

One such bogus Koobface message is "Look at yourself in this awesome new video." Once the user clicks the link to load the purported video, he or she gets a message to update their Flash Player, which when clicked loads malware using a program called flash_update.exe.

Once installed, Koobface behaves pretty much like many other nasty worms circulating on the net. It disables many of the popular anti-virus products and creates a backdoor into a user's system through a port on the target computer, which enables it to divert search queries, steal credit card details, load malicious scripts and basically hijack the victim's machine.

Since we ran our original story and a more recent article on Koobface, iTWire has received numerous requests for information on how to remove the worm from infected computers.

Facebook has posted instructions on how to remove Koobface on its security page.