Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
,
Mac OS X
macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...
, and
Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
platforms. This worm originally targeted users of networking websites like
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
,
Skype
Skype () is a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for VoIP-based videotelephony, videoconferencing and voice calls. It also has instant messaging, file transfer, deb ...
,
Yahoo Messenger
Yahoo! Messenger (sometimes abbreviated Y!M) was an advertisement-supported instant messaging client (computing), client and associated protocol provided by Yahoo!. Yahoo! Messenger was provided free of charge and could be downloaded and used wit ...
, and email websites such as
GMail
Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...
,
Yahoo Mail
Yahoo! Mail is an email service launched on October 8, 1997, by the American company Yahoo, Inc. The service is free for personal use, with an optional monthly fee for additional features. Business email was previously available with the Yahoo! ...
, and
AOL Mail
AOL Mail (stylized as Aol Mail.) is a free web-based email service provided by AOL, a division of Yahoo.
Features
AOL Mail has the following features available:
* Email attachment limit: 25 MB
* Max mailbox size: Unlimited
* Supported protoc ...
. It also targets other networking websites, such as MySpace,
Twitter
Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
, and it can infect other devices on the same local network.
Technical support scam
A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...
mers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.
Infection
Koobface ultimately attempts, upon successful infection, to gather login information for
FTP
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...
sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.Koobface: Inside a Crimeware Network It then uses compromised computers to build a peer-to-peer
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.
It was first detected in December 2008 and a more potent version appeared in March 2009. A study by the
Information Warfare Monitor
The Information Warfare Monitor (IWM) was an advanced research activity tracking the emergence of cyberspace as a strategic domain. Created in 2003, it closed in January 2012. It was a public-private venture between two Canadian institutions: The ...
, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the
University of Toronto
The University of Toronto (UToronto or U of T) is a public research university in Toronto, Ontario, Canada, located on the grounds that surround Queen's Park. It was founded by royal charter in 1827 as King's College, the first institution ...
, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.
Koobface originally spread by delivering Facebook messages to people who are "friends" of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the
Adobe Flash
Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia Computing platform, software platform used for production of Flash animation, animations, rich web applications, application software, desktop applications, mobile apps, mo ...
player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a
Zombie
A zombie (Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in whic ...
or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.
Several variants of the worm have been identified:
* Worm:Win32/Koobface.gen!F
* Net-Worm.Win32.Koobface.a, which attacks MySpace
* Net-Worm.Win32.Koobface.b, which attacks
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
* WORM_KOOBFACE.DC, which attacks
Twitter
Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
* W32/Koobfa-Gen, which attacks
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
hi5
hi5 is an American social networking service based in San Francisco, California. It is owned by The Meet Group.
Users can create a profile and provide personal information including interests, age, photos, and hometown. Users can also send f ...
,
Bebo
Bebo ( ) was an American Social networking service, social networking website that originally operated from 2005 until its bankruptcy in 2013 and relaunched in February 2021. The site relaunched several times after its bankruptcy with a number ...
,
Friendster
Friendster was a social network game based in Mountain View, California, founded by Jonathan Abrams and launched in March 2003.Eric Eldon, August 4, 2008.Friendster raises $20 million, nabs a Googler to be CEO VentureBeat. Retrieved December 4, 2 ...
, myYearbook, Tagged, Netlog,
Badoo
Badoo is a dating-focused social network founded by Russian entrepreneur Andrey Andreev in 2006. It is headquartered in Limassol, Cyprus and London, United Kingdom,Mac version which spreads via social networks such as Facebook, MySpace and Twitter.
In January 2012, the ''New York Times'' reported that Facebook was planning to share information about the Koobface gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research were said to have helped uncover the identities of those responsible.
Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in
St. Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
,
Russia
Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...
. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader. The investigation also connected Avdeyko with
CoolWebSearch
CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) is a spyware or Computer virus, virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.
Effects
CoolWebSearch has numerous capabi ...
spyware.
Hoax warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait.Koobface - What is it Really? article at ThatsNonsense.com, Retrieved on 26 January 2011Koobface article at snopes.com website, Retrieved on 30 December 2010
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.
Trojan.Win32.DNSChanger
''Trojan.Win32.DNSChanger'' is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Cen ...
Malware analysis Malware analysis is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor. Malware or malicious software is any computer software intend ...