Mac OS X
macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and la ...
, and
Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, w ...
platforms. This worm originally targeted users of networking websites like
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...
,
Skype
Skype () is a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for VoIP-based videotelephony, videoconferencing and voice calls. It also has instant messaging, file transfer, deb ...
GMail
Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP and ...
Twitter
Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
, and it can infect other devices on the same local network.
Technical support scam
A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...
mers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.
Infection
Koobface ultimately attempts, upon successful infection, to gather login information for
FTP
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...
sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.Koobface: Inside a Crimeware Network It then uses compromised computers to build a peer-to-peer
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.
It was first detected in December 2008 and a more potent version appeared in March 2009. A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the
University of Toronto
The University of Toronto (UToronto or U of T) is a public university, public research university in Toronto, Ontario, Canada, located on the grounds that surround Queen's Park (Toronto), Queen's Park. It was founded by royal charter in 1827 ...
, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.
Koobface originally spread by delivering Facebook messages to people who are "friends" of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the
Adobe Flash
Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Fla ...
player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a
Zombie
A zombie ( Haitian French: , ht, zonbi) is a mythological undead corporeal revenant created through the reanimation of a corpse. Zombies are most commonly found in horror and fantasy genre works. The term comes from Haitian folklore, in w ...
or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.
Several variants of the worm have been identified:
* Worm:Win32/Koobface.gen!F
* Net-Worm.Win32.Koobface.a, which attacks MySpace
* Net-Worm.Win32.Koobface.b, which attacks
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...
* WORM_KOOBFACE.DC, which attacks
Twitter
Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
* W32/Koobfa-Gen, which attacks
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...
hi5
hi5 is an American social networking service based in San Francisco, California. It is owned by The Meet Group.
Users can create a profile and provide personal information including interests, age, photos, and hometown. Users can also send f ...
,
Bebo
Bebo ( ) was an American social networking website that originally operated from 2005 until its bankruptcy in 2013 and relaunched in February 2021. The site relaunched several times after its bankruptcy with a number of short-lived offerings, ...
,
Friendster
Friendster was a social network game based in Mountain View, California, founded by Jonathan Abrams and launched in March 2003.Eric Eldon, August 4, 2008.Friendster raises $20 million, nabs a Googler to be CEO VentureBeat. Retrieved December 4, 2 ...
, myYearbook, Tagged, Netlog,
Badoo
Badoo is a dating-focused social network founded by Russian entrepreneur Andrey Andreev in 2006. It is headquartered in Limassol, Cyprus and London, United Kingdom,Mac version which spreads via social networks such as Facebook, MySpace and Twitter.
In January 2012, the ''New York Times'' reported that Facebook was planning to share information about the Koobface gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research were said to have helped uncover the identities of those responsible.
Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in
St. Petersburg
Saint Petersburg ( rus, links=no, Санкт-Петербург, a=Ru-Sankt Peterburg Leningrad Petrograd Piter.ogg, r=Sankt-Peterburg, p=ˈsankt pʲɪtʲɪrˈburk), formerly known as Petrograd (1914–1924) and later Leningrad (1924–1991), i ...
,
Russia
Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...
. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader. The investigation also connected Avdeyko with CoolWebSearch spyware.
Hoax warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait.Koobface - What is it Really? article at ThatsNonsense.com, Retrieved on 26 January 2011Koobface article at snopes.com website, Retrieved on 30 December 2010
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.