Koobface slips past antivirus defences

Stephen Withers
Monday, 08 December 2008 05:48

Your IT - Home IT

If you've been wondering why Koobface seems to be infecting so many computers, it could be because a majority of antivirus packages have been unable to detect it.

Koobface is a worm that spreads through social networking sites. It works by sending bogus messages or comments to the infected user's friends.

These texts include links to malicious sites that purport to offer video clips. If visitors follow the link, they are told that they need to install a new version of Flash and are offered an 'updater' which is actually installs malware.

A test run using the Virustotal service reported that as at December 5, only 15 out of 38 antivirus products could detect the current version of Koobface.

Big name products generally detected the culprit. Examples include CA, McAfee, Microsoft, Sophos, and Symantec.

But some widely-used products failed to warn that the download was malicious. Among them were software from Avast, AVG, ClamAV, F-Secure, Kaspersky and PC Tools.

Note that some or all of those vendors may have updated their products since Virustotal carried out its tests.

But here's the curious thing.

The Virustotal results have been publicised - and the sample may even have been submitted by - by the ThreatFire research team. And ThreatFire is part of PC Tools: one of the companies whose AV scanners could not detect Koobface.

That's what we call "without fear or favour."