Q&A about the Koobface virus

Naked Security’s Paul Ducklin answers some questions about the Koobface virus to go with the SophosLabs report: The Koobface malware gang – exposed!

Most of the sections also provide links to related articles, podcasts and videos which we think you might find interesting.

* What is Koobface?

Koobface is a computer worm which spreads via social networking sites.

Most social networking spams and scams spread on social networks because users inadvertently recommend them to their friends. Koobface is different. It actively infects your PC and then it deliberately propagates itself via social networking sites.

Koobface knows how to create its own social networking accounts so that it can aggressively post links helping it to spread further.

* How does Koobface get onto my computer?

The most common infection method is through a fake video player.

If you click on one of the links which Koobface has posted on-line, you’ll end up at a web page – typically a fake YouTube or Facebook Video page – pretending to offer you a clip to watch. But first, claims the web page, you need a Flash update.

The video player update is as fake as the web page: it’s actually just an installer for the Koobface virus.

* Does Koobface do anything more than spread?

Yes. Koobface is what’s called a zombie, or bot. Infected computers regularly connect back to so-called C&C (command-and-control) servers in order to upload stolen data or to fetch instructions on what to do next.

A group of PCs infected with a bot is known as a botnet, short for robot network.

* What’s the worst that could happen if I get infected with Koobface?

Koobface, like most zombie networks, includes a general-purpose command so that the botmasters (the cybercrooks operating the botnet) can instruct your PC to download and run any other software of their choice.

In short, once you’re infected, almost anything could happen.

That’s why it’s important to remove malware infections as soon as possible. Otherwise you may become an unwitting participant in whatever the crooks decide to turn their hand to next.

* How do I get rid of Koobface if I’m already infected?

Any decent anti-virus should be able to detect and remove Koobface, along with the hundreds of thousands of other malware samples we come across every day.

But be wary of unsolicited phone calls, or unexpected web popups, offering virus cleanup for a fee paid over the internet.

If you can’t fix the problem yourself, try asking friends and family for a recommendation. Choose a local company who will help you face-to-face (some even do house-calls) if you can.

* What else I should do after disinfecting the Koobface virus?

Koobface, and most other malware, runs in the background on your PC. This means it can monitor everything you do, including stealing usernames and passwords.

After removing any malware, especially zombie malware, it’s a good idea to change passwords on all your on-line accounts. And keep an eye on your bank statements, just in case.

* How can I avoid getting infected in future?

– Keep your patches and your anti-virus up-to-date. This won’t stop 100% of threats, but it will stop most of them, including Koobface.

– Don’t be tempted by links on social networking sites just because they look cool. A little caution goes a long way.

– Never download video player software just because a site offers you an update. Reputable sites will explain what you need so you can seek it yourself, rather than trying to trick you into downloading what they want.

* Why haven’t the cops arrested the alleged Koobface gang members yet?

Unfortunately, investigations into cybercriminality typically take a long time – often, years.

The crooks, the victims and the evidence are typically distributed through many legal jurisdictions. This makes co-ordinating investigations, charges and prosecutions much more complex than handling crimes which happened in one city or country.

For example, an anti-cybercrime operation called Operation Trident Tribunal, announced by the FBI in 2011, took two years. It required the involvement of law enforcement from 12 countries: the USA, Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the UK.

* Aren’t social networking sign-up pages protected by CAPTCHAs?

A CAPTCHA is a Completely Automated Procedure for Telling Computers and Humans Apart. When you see one of those web forms with hard-to-read text that you need to type in, that’s a CAPTCHA. Computers aren’t supposed to be able to solve such puzzles.

Koobface “solves” CAPTCHAs, but by cheating. When it needs to solve a CAPTCHA to register a new account, it sends the CAPTCHA image to another PC in the botnet.

The CAPTCHA is presented to the user of the other PC in a bogus security popup. If they respond in time, the answers are sent back and used by Koobface to “prove” it could answer the challenge.

* Didn’t the victims of Koobface bring it on themselves by foolish clicking?

This question really means, “Didn’t the victims make an informed decision of their own to run the Koobface installation program?”

In most cases, “Yes.” And that was a mistake.

But this doesn’t make them any less victims. It’s not a crime to be naive. It is a crime to trick someone into installing malicious software under false pretences.

Don’t turn your back on people who know less about computers and computer security than you do. Most people are desperate to be safer online, but the rapid pace of change makes it hard to keep track of what’s safe and what is not.

22 comments on “Q&A about the Koobface virus

  1. Seems that the entire world is a Pandora’s Box full of cybercrime.In the late 60’s, my college computer LAB took up an entire block on campus, and Fourtran iv was what we learned, using IBM cards Wow. killing ourselfs.

    • It also disabled my Antivirus. Then, when I tried to do a restore from a point a month before the incident, Koobface shut down my entire computer and would not even allow me to get to the cpu logon page. I had to reformat my cpu THREE times to rid it f this virus, as its a (apparently) browser virus, and when you logon to your browser, it re-loads your preferences, and Its Baaaack! (this was even tho I had gone into my browser and cleared history/cache and cookies before trying to do a ‘restore point.’ Apparently it infects all your devices that are sync’ed… or so the HP tech told me. So, remove the browsers off all your sync’d devices. Run the antivirus to remove it, and re-build. I lost all my files, photos, history of all things cyber. And DONT, after it locks you out of FB and says it has to see some government ID before restoring your account, DONT scan and send them your ID! NO! FB says they will NEVER ask you for that info. Apparently, koobface is a ‘skin’ they put atop your FB account, pretending to be FB, locks you out of your account… The only thing you can do is to build a new account. Seriously. Unless you can track them and turn them into the FBI or some-such -I don’t know how. Be AWARE that FB does not have ANY phone tech support- when you google a phone number for help, you find numbers of the creators of the virus. I should know. I did that. Stupid. They tried to extort hundreds of dollars from me. I got angry and hung up. But not till after I gave out personal info, because I am stupid, and because I seriously cannot comprehend anyone being that evil, to do that to another human being.

  2. my computer is infected. I am running windows 10. All of a sudden I get this pop up screen last night- to call a number, was in Iran. Said that I needed to pay $300. I cannot even get past the “passcode” screen to try and get into safe mode- can’t do it with F8 or the “Windows” key. Help

    • Same thing happened to me tonight. The guy i spoke to said that if i didnt pay the $319 then my computer would be useless. I removed the battery from my laptop and turned it back on and the passcode thing was gone. I have reset my computer and am still waiting for it to finish to see if it works

  3. I got the same pop up about my computer being infected, and I called the number, and they also claimed to be a part of Microsoft, now my computer is infected with koobface and other various viruses and worms, however I had a scheduled boot time scan that caught it right away, however half my hard drive is locked out, what should I do?

  4. I, too, was scammed by GeekBase. Koobface was also
    involved. Not so sure these scammers aren’t the hackers! Who can I trust to help clean up this mess? Looked up Geek Squad and found many negative comments. Maybe I should give up the computers–can’t get infected if we don’t have one.

  5. after losing my fb acc. i went looking on line for help, this is how i even found out about koobface?? yes it cost me 199,00 was told koobface steals your IP address, went with US iguruz so far my fb account is back i dont know if i got taken to cleaners or not.

    • this happend to me, and i am waitn to hear back from facebook to see if i am able to get back n my fb

      • happened to me I was locked out of my computer couldn’t even get on the computer to log in on anything so I rebooted back to the factory settings now is doing fine

  6. I believe I’m a victim of this scam too. A message appeared on the screen about my current search engine being unsafe and asked if it could be changed to Bing. I clicked the X and moved forward. I went to search for training information at work. After I got into one website, I got a blue screen. I was not allowed to get off rhat page (blue screen) and instructed to call a phone number. I called the number and it was for Cintrix go to. They remote in to fix the problem, showed me the computer was infected then explained I would be connected to a technician to purchase virus protection software for $150.
    During my call, I became concerned because I was asked several times about my banking or game activities. This became a red flag for me and I ended the connection into my system.

    • That doesn’t sound like a virus. It sounds like a variant of this:
      https://nakedsecurity.sophos.com/2014/11/20/ftc-smackdown-more-fake-support-scammers-taken-out/

  7. I didnt click anything like that but got koobface and is it real if microsoft tells you that theres a virus?

  8. I would like to know can koobface get into your email account (yahoo) and hi-jack your folders that was created within the yahoo account? If so what can I do to get them back.

  9. I got suckered for $150 for some outsourced tech company that popped up on a blue screen that said they were part of Microsoft about 3 weeks ago. Same thing happened again yesterday. I feel stupid for falling for it the first time since I know nothing about computers or tech support. Then they got mad at me when I told them I thought I was being scammed the second time. Guy had a thick Indian accent and said his name was Sam Johnson from Texas……really!?

  10. After not being able to access Yahoo nor my email I called Yahoo. They told me about koobface and charged me $199 to do a virus/malware deletion. It seemed to be legit and so far so good.

    • did it work Doug? I called yahoo and they told me to do tha same thing but i wasnt to sure if I should do it or not.

  11. Can koobface infect your phone or xbox? I am a victim of this scam too and he was asking about both.

  12. I couldn’t access my Norton account on my tablet. So I rang Norton – at least I thought I did. The girl took control of my tablet and found “Koobface” but to fix it she said she needed to bring in 5 technicians and needed to charge me 2 yrs 199.00 or 5 yrs for $399. I wanted to know what other computers I had attached to Norton and she asked me to put in my password. I told her she had to have access to my accounts if she was from Norton. But I think she found the answer using my computer which she had access to. In the end I stopped the call by saying I needed to speak to my son first. She was desperate to sell me the intervention. Saying it was my IP address that was compromised – not my Tablet or computer, and that all my identity would be in danger. She said she would ring me back in 5 minutes…As soon as I said no – she hung up. No goodbye nothing. Strange.

  13. I have received the the same warning from a so-called apple security. After calling them I was suspicious because it seemed like that this so-called apple “security expert” said that I need to have my IP address wrapped with 7 layers or security.??? My first instinct was that this so-called mac security expert was some how receiving a “kick back” from the the people he was recomending to
    solve my problem.? Whats up? Is this threat real ?

What do you think?