Network News

X My Profile
View More Activity

Getting Friended By Koobface

You know you've attracted the attention of online troublemakers when they start using their malicious software to taunt you by name.

Such is apparently the case with the latest version of Koobface, a worm that spreads on Facebook, Twitter and other Web 2.0 sites and turns infected systems into bots that can be used for a variety of improper and possibly criminal purposes. According to an analysis performed on the malware by researchers from the University of Alabama at Birmingham, the latest version references a domain that begins with an expletive and ends with (if you figure it out please DO NOT visit this Web site, as you could pick up a malicious program).

I suppose I should be flattered, as I'm in good company: According to the researchers, this Koobface variant also forces infected systems to call out to another domain that drops an expletive in the middle of (again, please stay away from that domain). No doubt, this a dig at FireEye, a Milpitas, Calif. company that has published a great deal of key research some of the top spam botnets this past year.

"It's a personal feather in the cap, knowing that on some level we made cyber crime more difficult," said Alex Lanstein, senior security researcher at FireEye. "Playing whack-a-mole with [botnet control] servers is a losing battle, but shining a light in the dark corners of the net and raising awareness of just how dumb these guys can currently afford to be is obviously having an impact."

UAB researchers said they found a link being posted on that redirects anyone who clicks it to a constantly refreshed list of 100 infected Web pages, each of which looks like a Facebook page, but drops malware when you try to play the video on the page.

The malware installs a rogue anti-virus product, along with a malicious program designed to hijack a portion of the victim's Google search results, ostensibly as a way to earn click fraud money for the attackers.

As a result of the search hijacking, the university researchers found that victims of this version of Koobface may find it difficult to visit the Security Fix blog, among other sites.

"If you do a Google search, you get your normal results, but then if you actually try to click on any of the links, there is a 'random chance' that you will be redirected to another site," wrote Gary Warner, director of research in computer forensics at the school, in an e-mail to Security Fix. "So, for example, we Googled 'Brian Krebs,' got Security Fix as our top result, clicked on your link, which showed up right with a 'floatover'. Instead of going to the post though, we contacted a site called '' and then ended up at ''," (again, please refrain from visiting these domains).

By Brian Krebs  |  August 31, 2009; 7:57 PM ET
Categories:  Fraud , From the Bunker  | Tags: alex lanstein, fireeye, gary warner, koobface  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Snow Leopard's Anti-Malware Feature
Next: What To Do When Scareware Strikes


And all of them are hidden behind privacy registars - what's the point of whois if people can conceal themselves this way?
And most whois info is useless anyway - when are they going to start cracking down on this stuff?

Posted by: nick7 | August 31, 2009 11:43 PM | Report abuse

My girlfriend got Koobface on her laptop with the full McAfee suite running. Used several programs to try to get rid of it, but I think it still ended up residing in my backup files. Had to pay McAfee $85 to remove it, which they did after 90 minutes.

Nasty stuff that Koobface.


Posted by: Snapper24 | September 1, 2009 10:34 AM | Report abuse

All the AV software in the world won't save someone who doesn't practice a little safe surfing.

Posted by: ihatelogins | September 1, 2009 12:33 PM | Report abuse

This is why people need to be more vigilant when clicking on shortened links or hyperlinks. URL shorteners can make it difficult to determine if a link is safe. To find out where the link goes to or what it does, look at the URL for it. Spammers can enter any text they want into the actual link text so don’t use this as a guide. Instead, mouse-over the link - most email clients will show you the link’s actual URL right where your mouse is or in a corner of the screen.
For more security tips I write a blog at:

Posted by: tcronin-astaro | September 1, 2009 2:20 PM | Report abuse

Thank-you Brian - splendid job

Twice now I have sent a grouch to the White-house mail-box. Twice my XP operating system was 'invaded' hours after the event. Here is what the clever geek in the White-house bowels did in simple terms.

Prevent loading of \windows\config\system by deleting the file and the hidden backup file. This makes safe mode fail.

I recovered by using the recovery console and replacing the file with one from a snapshot. I have my own procedure for this because is long winded and prone to failure/errors.

This must have upset the geek because I recovered in 15 minutes.

The next attack actually managed to affect the NTFS system partition because it reported 'unknown' in a low level disk-check and obviously failed to fix this catastrophic error.

The procedure here is to reload windows using your Windows CD and restore from a backup (you do have one!!) - a lengthy procedure!

I am working to find out how this hack was achieved on Port 80 by using packet analysis log files - another lengthy procedure but one I will report back on here, together with IP address of the hack origin (although it will be obfusticated).

Posted by: coiaorguk | September 1, 2009 2:26 PM | Report abuse

Brian, why isn't the log in page secure ?

I'd like to suggest a program that would put an end to having to restore one's computer after it's been infected. It will not stop an infection from happening but all it takes to get rid of an infection is a reboot. I've been using it for quite a while now and I can attest to the fact that it works flawlessly. I can also confirm that it is installed on a large network of computers ( about 1,200 )and has never failed to restore an infected pc.
It's called Deep Freeze ( by Faronics ).
Essentially you have two states..Frozen or Thawed. When in the frozen state you can still do anything you want on a computer BUT as soon as you reboot whatever you did is gone, like it never happened ( including infections ) In the thawed state everything stays, including infections. I leave my computer frozen all the time except when I want to save something like updates, pictures etc.. The only minor inconvenience is that to go between frozen and thawed you must reboot. And yes I've installed programs only to look down at the state I was in and go darn..I'm frozen. So unfreeze and install again. But once a person has the concept then you just have to remember what state you're in.
I don't know why more people don't know about this program.

One important thing I should mention if someone does decide to try it out. You MUST defrag your hard drive BEFORE you install Deep Freeze.

Just my 2 cents

Posted by: amthmi | September 1, 2009 4:27 PM | Report abuse

Speaking of the f word, I f hate to hear Google being used as a verb. Why not say we Binged Brian Krebs, or we Yahood Brian Krebs? Isn't Google big enough already? Why give them free advertising?

Posted by: davidwg46 | September 1, 2009 7:32 PM | Report abuse

Perhaps the sincerest form of flattery: Thanks for making the mazmers mad enough to single you out!

Aside: After visiting the sites you mention, Opera on linux seems impevious to any haks they have in the sites (at least I couldn't find any differences in the KVM disk before and after the visit).

Posted by: lembark | September 1, 2009 10:48 PM | Report abuse

This latest variant is nasty. My wife got it yesterday, 3 hours of scanning with various progs including the ones most favored by geeks failed to even detect it.

First of all, it hijacks your browser so you can't even get to an antivirus site.

If you download an antivirus installer on another computer and then run it on the infected machine, well, too bad, because all you're actually running is a program which tries to connect to the antivirus site and download the actual setup file, so you're out of luck - it won't connect.

I managed to get Avast Pro installed with an updated virus database, and it didn't detect Koobface.

Plus since this is a newer version, doing a search for cleanup instructions is futile because they're all too old.

Posted by: wilmington10 | September 2, 2009 5:29 AM | Report abuse

Perhaps the sincerest form of flattery: Thanks for making the mazmers mad enough to single you out!

Aside: After visiting the sites you mention, Opera on linux seems impevious to any haks they have in the sites (at least I couldn't find any differences in the KVM disk before and after the visit).

Posted by: lembark | September 2, 2009 10:43 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company