Koobface Facebook Trojan On The March Again

Reports in that the Koobface virus/trojan than sometimes plagues Facebook is back on the march again. Of course, these reports may not be very reliable, as they are from personal status updates on Facebook!

Just spotted this Facebook status update:

“Virus spreading like wildfire on Fb and My Space! It is a trojan worm called koobface. It will steal your info,invade your system and shut it down! DO NOT open the link Barack Obama Clinton Scandal! If SmartGirl15 requests you as a friend, don’t accept it ;it is a virus. If somebody on your list adds her, you get the virus too! Please copy and paste to your wall. Confirmed on SNOPES..please pass it on”

OK, a quick Google for that phrase brings up some pretty old pages, so maybe just an old status update worming its way around endlessly inside Facebook. Like Chinese whispers, it keeps coming around, but actually always looks the same……

OK. From Wikipedia, the free encyclopedia, some information on Koobface.


Common name Koobface worm
  • W32/Koobfa-Gen (Sophos)
  • W32.Koobface.A (Symantec)
  • W32/Koobface.worm (McAfee)
  • WORM_KOOBFACE.DC (Trend Micro)
  • Win32/Koobface (CA, Inc.)
  • Worm.KoobFace (Malwarebytes)
Classification Unknown
Type Computer worm
Subtype Computer virus
Isolation December 2008
Point of Origin [Unknown]

Koobface is a computer worm that targets users of the social networking websitesFacebook (its name is an anagram of “Facebook”[1]), MySpace,[2] hi5, Bebo, Friendster andTwitter[3]. Koobface is designed to infect Microsoft Windows and Mac OS X, but also works on Linux (in a limited fashion). [4] [5] Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, and other social media platforms, but not any sensitive financial data.[6] It was first detected in December 2008 and a more potent version appeared in March 2009.[7] A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.[6]

Koobface spreads by delivering Facebook messages to people who are ‘friends’ of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer’s search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.

Several variants of the worm have been identified:

  • Worm:Win32/Koobface.gen!F [8]
  • Net-Worm.Win32.Koobface.a, which attacks MySpace
  • Net-Worm.Win32.Koobface.b, which attacks Facebook [9]
  • WORM_KOOBFACE.DC, which attacks Twitter [10]
  • W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar [11][12]
  • W32.Koobface.D[13]

Source: http://en.wikipedia.org/wiki/Koobface

So, Koobface may be spreading, then again, ill informed status updates may be spreading also. Who knows? Always wise to be careful with what you open in Facebook anyway.

2 Comments on “Koobface Facebook Trojan On The March Again”

  1. From Hoax-Slayer.com:

    “This warning is inaccurate and highly misleading. The warning is apparently derived from concerns about a genuine security threat known as Koobface. However, because this message contains so much false and misleading information, it is in no way a valid warning about Koobface. Sending on the message will do nothing more than confuse users and diffuse the usefulness of genuine warnings about Koobface. If you receive this message, please do not repost it to others.”

  2. More information here: http://www.hoax-slayer.com/105-14.shtml

    Another misleading claim in the “Knob Face” warning is that the “virus” will shut down the infected computer. However, disabling the compromised computer is certainly not the goal of the criminals who distribute the real Koobface. Their goal is to use the infected computer to spread the worm to other users, create ongoing connections with other compromised computers, download other malware components and display advertisements on the compromised computers via hijacked search queries. Thus, these criminals are not about to shut down infected computers and thereby make them inaccessible.

    Thus, spreading this garbled and inaccurate “warning” will serve only to spread misinformation and confusion among social network users. Certainly Koobface is real, along with many other security threats that target Facebookers. However, the inaccuracies and falsehoods contained in this “Knob Face” message mean that it has no merit or validity as a warning whatsoever and should not be reposted.

Leave a Reply

Your email address will not be published. Required fields are marked *