CNET News: Koobface virus hits Facebook

CNET News: Koobface virus hits Facebook by Robert Vamosi December 4, 2008

Top: “Cyborg Stare” Dec. 5, 2008 Kevin Dayhoff

Photo credit: A new mass-mailing virus targeting Facebook users directs victims to a site asking to download a Trojan masked as an Adobe Flash update. (Credit: McAfee Avert Labs) Actually this is a cropped version of the McAfee Avert Labs photo. I have the same image in my main computer, that is not available at the moment as I am still working on restoring all my data files and operating system after the “Facebook Koobface” virus infected my system in the early morning hours of December 4, 2008.

This message could lead you to the Koobface virus, say security experts.
(Credit: McAfee Avert Labs)

This is another good article that explains how the “Facebook Koobface” virus works…

A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social engineering attack may be used again, say experts.

Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.

Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites.

After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe.

Schmugar said the prompt for a new player should be a warning. "The messages you tend to get from these sites don't look quite right." For instance, IE will tell you where the update is coming from, and usually it's not an Adobe site.

However, the message “a message says an update of Flash is needed before the video can be displayed,” is effective as many Microsoft users are aware that Microsoft and Adobe do not get along and that appears that Microsoft inhibits using Adobe products in Windows operating systems.

Many technology users maintain a hope that Microsoft will eventually stop attempting to inhibit Adobe products and we are always looking forward to “an update of flash” that will finally run easily in a Microsoft environment…

Another underreported dynamic is that the virus just breezed by Microsoft’s vaunted security update program. This program has been the source of much aggravation for heavy users; and now when the situation presents, that is why we put up with the obnoxious pesky persistent updates – it fails to work.

So the questions easily rises to the surface – why participate in the Microsoft update program?

If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN, or Live.com may be hijacked to other, lesser-known search sites.

Schmugar said this version of Koobface includes a bot-like component that could install other malicious apps at a later time.

[…]

Meanwhile, many articles repeat, “Facebook has posted instructions on how to remove the infection.” No it doesn’t. The information posted on the Facebook security page is so deficient and underwhelming, one could easily mistake it for humor.

According to a December 4, 2008 Reuters article, “Social network MySpace, owned by News Corp, was hit by a version of Koobface in August and used security technology to eradicate it, according to a company spokeswoman. The virus has not cropped up since then, she said.

If “MySpace” can protect its users, then why can’t Facebook?

[…]

Read the entire article here: Koobface virus hits Facebook

http://news.cnet.com/8301-1009_3-10113981-83.html


20081204 Koobface virus hits Facebook