(888) 509-1491
Risk Level 2: Low
- Discovered:
- August 3, 2008
- Updated:
- April 22, 2010 6:59:12 AM
- Also Known As:
- Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
- Type:
- Worm
- Infection Length:
- Varies
- Systems Affected:
- Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Koobface is a worm that spreads through social networking sites. W32.Koobface, an anagram of Facebook, is a worm that spreads primarily through social networking sites (hence the name) and uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements.
Infection
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.
The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.
Functionality
W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.
The worm is able to perform the following functions:
GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.
PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Antivirus signatures
Antivirus (heuristic/generic)
Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.
Intrusion Prevention System
Infection
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.
The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.
Functionality
W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.
The worm is able to perform the following functions:
- Spread through social networks
- Steal confidential information
- Inject advertising into web browsers
- Redirect web browsing to malicious sites
- Intercept Internet traffic
- Block access to certain Internet sites
- Start a web server to serve as a command and control server for other Koobface infections
- Download additional files, such as updates to itself and other pay-per-install software that includes fake security products
- Steal software license keys
- Break CAPTCHAs
- Determine if a link is blocked by Facebook
- Create new Blogspot accounts and pages
- Modify the Hosts file
GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.
PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Antivirus signatures
Antivirus (heuristic/generic)
Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.
Intrusion Prevention System
Antivirus Protection Dates
- Initial Rapid Release version August 3, 2008 revision 017
- Latest Rapid Release version December 18, 2010 revision 024
- Initial Daily Certified version August 3, 2008 revision 020
- Latest Daily Certified version December 19, 2010 revision 003
- Initial Weekly Certified release date August 6, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Medium
- Number of Infections: 50 - 999
- Number of Sites: 3 - 9
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Easy
Damage
- Damage Level: Medium
- Payload: Various activities including stealing of information and opening a back door.
Distribution
- Distribution Level: Medium
- Target of Infection: Spreads through social networking sites.
Writeup By: Eric Chien and Jarrad Shearer
