03/14/10 - Article No: 74

Koobface – What is it really?

Here we explain what the Koobface worm actually is, how it works, how it infects a computer and most importantly how to avoid it. We also address many of the misconceptions associated with this type of malware.

In this article –
How does it spread?
How to avoid it.
Misconceptions about Koobface
Facebook Hoaxes and False Alerts

Malware is the broadest term available for malicious software, and it can be further classified by either what it does on a victim’s computer, for example Spyware or a KeyLogger, or it can be classified by the methods to which it spreads and infects computers, such as a Trojan Horse or Scareware.
In this case, Koobface is dubbed Koobface because of the way it spreads – via social networking websites, such as Twitter, MySpace, Bebo and specifically Facebook. Koobface, as you are most likely aware is an anagram of Facebook.
Koobface is also considered a type of “worm” because of its self-replicating nature.

How exactly does it spread?

The principle way Koobface spreads is by posting messages that contain malicious links from a social networking account (such as a Facebook account) to all the contacts associated with that account (for example, the Facebook contact list). The links direct social networking users to external websites that will download Koobface onto their computers as well.
Once installed, Koobface looks for evidence of social networking accounts on those computers, and once found, will start posting messages from those accounts and the process begins again, and the Koobface malware begins to spread virally.

This is the basic template, but how does Koobface get people to click on the malicious links and how does it install itself once the potential victim visits the external website?

Koobface malware is designed to post links intended to bait Facebook users into clicking them, so many of the messages posted are messages like –

Check out this YouTube video of you….LINK

Essentially anything that will cause curiosity or intrigue from the Facebook user. The messages vary greatly, but remember they are purely designed to get people to click on them.
Once clicked on, the victim is commonly asked to download some sort of add-on to view the page/image/video correctly. One of the most common examples is requesting victims download an extension to Adobe Flash Player in order to play a video. Once the user download this add-on, their computer is infected with Koobface and they will most likely notice unauthorised messages posting from their social networking accounts.

As we said before, Koobface refers to the way the software spreads through the Internet – via social networking site – however Koobface is installed directly onto a victim’s computer meaning it has access to the computers file system. Koobface can theoretically come bundled with any other type of malicious software including spyware, adware, key loggers or Trojan horses. Even though the Koobface aspect refers to the way it spreads, what Koobface can do once it infects a computer can vary.

Avoiding the Koobface Worm

To avoid getting infected with the Koobface worm, social networking users are recommended to use social networking sites carefully, much as they would to avoid other scams such as malicious applications or survey scams. This includes –

Suspicious Links – Be wary of suspicious links that you see posted on a social networking site. In Facebook this could mean links posted by your friends, sent to you via Facebook mail or Facebook chat, or links posted in groups. If ever in doubt that a link is genuine or automatically generated, contact the person who posted it.
Run Up-to-Date Antivirus – Even though Koobface is a relatively new type of malware, it is still malware, meaning running up-to-date antivirus software should detect and remove the problem. There is no one way of removing the Koobface virus.
Don’t Install “updates” – If Facebook (or other social sites) links take you to external websites, never install updates these sites try and get you to install. This is the classic method Koobface uses to trick victims into installing it.

Misconceptions about Koobface

Facebook Applications are not Koobface! Many inaccurate reports and rumours lead many to believe that rogue Facebook applications themselves are Koobface worms. They’re not. Malware and Facebook applications are different things. Malware runs on a computer, Facebook applications run on a Facebook account. Whilst it is technically feasible for an application to infect a computer directly, this is extremely rare. What is more likely is that a rogue Facebook application will post malicious links from a Facebook account and those links will lead to external websites that will prompt Facebook users to download the Koobface worm.

Koobface is not a virus Many people assume Koobface is a virus but really it is a type of computer worm. Any self replicating computer worm that spreads by infecting and posting from social networking accounts constitutes a variant of Koobface. This means that Koobface is not a single threat but takes on many different variants. Several main strains of Koobface have already been identified.

Koobface is not extremely malicious Many online rumours claim Koobface is the “most dangerous virus ever” and that is can “destroy hard drives” and other extreme claims. Koobface is just a type of malware and is not more dangerous than other types of malware. Running antivirus software should be enough to remove Koobface infections, just like other types of malware.

Koobface Hoaxes and False Alerts

Koobface’s entrance into the media spotlight was quick and alarmist. Facebook users were surprised to learn that the newest type of malware was spreading via social networking sites, posting automatic links from infected accounts looking to trick other social networking users into installing it.
Because of this, hoaxers use the subject of Koobface to try and instil panic into other social networking users. Hoaxers know that creating a panic is the best way to get their false rumours to circulate further and faster.

Many hoaxes have circulated via social networking sites like Facebook regarding both misconceptions about Koobface and false and inaccurate Koobface alerts. Many hoaxes pertain that a “Koobface virus” is circulating and that it can do things like “shut down computers” and “burn hard disks”. Such alerts are misleading and alarmist. There are many security websites (like Sophos) where genuine alerts are issued so social networking users do not have to rely on rumours and hearsay circulating through the Internet.

comments powered by Disqus