Security Bytes

Apr 8 2010   12:18PM GMT

Latest Koobface Facebook campaign attracts users with erotic encounters

Robert Westervelt Robert Westervelt Profile: Robert Westervelt


There are no hidden cameras behind that link, only a malicious website, researchers at ESET say.

Researchers at security vendor ESET LLC have discovered a quickly spreading Koobface Facebook campaign that is tripping up users with the allure of “erotic encounters.”

ESET’s David Harley, research fellow and director of malware intelligence, said Koobface messages are spreading through Facebook messages claiming a link leads to hidden cameras showing erotic encounters. People duped into thinking they’re about to see a sex show get redirected to a malicious website where a pop-up message prompts the user to download a video codec to view the video. The file is a Koobface executable, which infects the victim’s machine and again attempts to use the victim’s contacts to continue spreading, Harley said.

As of this time, the Laboratory in Latin America has found and analyzed over 100 IP addresses where users whose systems are already affected are responsible for the spread of this malware. It is very important to prevent infection, not only because of the risk to your own system but because of the risk to others. Don’t trust any messages of this type that turn up in social network messaging services like Facebook. Be on the lookout for deceptive social engineering and keep your antivirus software properly updated.

Koobface has continued to be a thorn in the side of social networks since it was first detected in 2008. In addition to Facebook, it has spread on MySpace, Twitter and other networks. It’s main way of spreading is via victim friend lists, making it behave as a worm. The number of Koobface attacks changes slightly from quarter to quarter depending on what security vendor analysis report you look at.

In addition to a malicious file that attempts to continue to spread Koobface, other malware is downloaded on the infected machine. The ESET researchers have confirmed up to seven malicious files from rogue security software to password stealing and browser hijacking Trojans. The list is included below:

  • Win32/TrojanProxy.Small.NEB Trojan – A proxy.
  • Win32/PSW.Delf.NSE Trojan – A password stealing trojan
  • Win32/Qhost.NTN Trojan – Hijacks the browser and redirects to web sites of its choosing
  • Win32/Agent.QWU Trojan – An information stealing Trojan. There are lots of these and the detection is pretty generic.
  • A variant of Win32/Koobface.NCI worm – Another koobface. Not sure what makes this one different though. This is a heuristic detection
  • A variant of Win32/Koobface.NCP worm – Another koobface. Not sure what makes this one different though. This is a heuristic detection
  • Win32/Adware.Antivirus2009.AA – rogue AV software

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: