Koobface virus lures Facebook users
Published: 05 Dec 2008 12:12 GMT
A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social-engineering attack may be used again, say experts.
Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.
Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this to ZDNet UK's sister site, CNET News, and said that in general Koobface strikes only social-networking sites.
After receiving a message in their Facebook inbox announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe.
Schmugar said the prompt for a new player should be a warning. "The messages you tend to get from these sites don't look quite right." For instance, IE will tell you where the update is coming from, and usually it is not an Adobe site.
Read this
Q&A: Facebook and the price of user privacy
Aaron Greenspan warns that Facebook is sacrificing user privacy on the altar of hyper growth
If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN or Live.com may be hijacked to other, lesser-known search sites.
Schmugar said this version of Koobface includes a bot-like component that could install other malicious apps at a later time.
Facebook's Schnitt said: "Only a very small percentage of Facebook users have been affected and we're working quickly to update our security systems to minimise any further impact, including resetting passwords on infected accounts, removing the spam messages and co-ordinating with third parties to remove redirects to malicious content elsewhere on the web."
Facebook has posted instructions on how to remove the infection.
McAfee's Schmugar said this attack is similar to email attacks 10 years ago, in that Koobface is using infected 'friends' lists, reminiscent of early mass-mailing worms. As was the recommendation then, he advises users not to open any unexpected email attachments, even if they are from someone you know.
Credit: Koobface virus hits Facebook from CNET News
Did you find this article useful?
22 out of 22 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
