Q&A about the Koobface virus

Naked Security’s Paul Ducklin answers some questions about the Koobface virus to go with the SophosLabs report: The Koobface malware gang – exposed!

Most of the sections also provide links to related articles, podcasts and videos which we think you might find interesting.

* What is Koobface?

Koobface is a computer worm which spreads via social networking sites.

Most social networking spams and scams spread on social networks because users inadvertently recommend them to their friends. Koobface is different. It actively infects your PC and then it deliberately propagates itself via social networking sites.

Koobface knows how to create its own social networking accounts so that it can aggressively post links helping it to spread further.

* How does Koobface get onto my computer?

The most common infection method is through a fake video player.

If you click on one of the links which Koobface has posted on-line, you’ll end up at a web page – typically a fake YouTube or Facebook Video page – pretending to offer you a clip to watch. But first, claims the web page, you need a Flash update.

The video player update is as fake as the web page: it’s actually just an installer for the Koobface virus.

* Does Koobface do anything more than spread?

Yes. Koobface is what’s called a zombie, or bot. Infected computers regularly connect back to so-called C&C (command-and-control) servers in order to upload stolen data or to fetch instructions on what to do next.

A group of PCs infected with a bot is known as a botnet, short for robot network.

* What’s the worst that could happen if I get infected with Koobface?

Koobface, like most zombie networks, includes a general-purpose command so that the botmasters (the cybercrooks operating the botnet) can instruct your PC to download and run any other software of their choice.

In short, once you’re infected, almost anything could happen.

That’s why it’s important to remove malware infections as soon as possible. Otherwise you may become an unwitting participant in whatever the crooks decide to turn their hand to next.

* How do I get rid of Koobface if I’m already infected?

Any decent anti-virus should be able to detect and remove Koobface, along with the hundreds of thousands of other malware samples we come across every day.

But be wary of unsolicited phone calls, or unexpected web popups, offering virus cleanup for a fee paid over the internet.

If you can’t fix the problem yourself, try asking friends and family for a recommendation. Choose a local company who will help you face-to-face (some even do house-calls) if you can.

* What else I should do after disinfecting the Koobface virus?

Koobface, and most other malware, runs in the background on your PC. This means it can monitor everything you do, including stealing usernames and passwords.

After removing any malware, especially zombie malware, it’s a good idea to change passwords on all your on-line accounts. And keep an eye on your bank statements, just in case.

* How can I avoid getting infected in future?

– Keep your patches and your anti-virus up-to-date. This won’t stop 100% of threats, but it will stop most of them, including Koobface.

– Don’t be tempted by links on social networking sites just because they look cool. A little caution goes a long way.

– Never download video player software just because a site offers you an update. Reputable sites will explain what you need so you can seek it yourself, rather than trying to trick you into downloading what they want.

* Why haven’t the cops arrested the alleged Koobface gang members yet?

Unfortunately, investigations into cybercriminality typically take a long time – often, years.

The crooks, the victims and the evidence are typically distributed through many legal jurisdictions. This makes co-ordinating investigations, charges and prosecutions much more complex than handling crimes which happened in one city or country.

For example, an anti-cybercrime operation called Operation Trident Tribunal, announced by the FBI in 2011, took two years. It required the involvement of law enforcement from 12 countries: the USA, Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the UK.

* Aren’t social networking sign-up pages protected by CAPTCHAs?

A CAPTCHA is a Completely Automated Procedure for Telling Computers and Humans Apart. When you see one of those web forms with hard-to-read text that you need to type in, that’s a CAPTCHA. Computers aren’t supposed to be able to solve such puzzles.

Koobface “solves” CAPTCHAs, but by cheating. When it needs to solve a CAPTCHA to register a new account, it sends the CAPTCHA image to another PC in the botnet.

The CAPTCHA is presented to the user of the other PC in a bogus security popup. If they respond in time, the answers are sent back and used by Koobface to “prove” it could answer the challenge.

* Didn’t the victims of Koobface bring it on themselves by foolish clicking?

This question really means, “Didn’t the victims make an informed decision of their own to run the Koobface installation program?”

In most cases, “Yes.” And that was a mistake.

But this doesn’t make them any less victims. It’s not a crime to be naive. It is a crime to trick someone into installing malicious software under false pretences.

Don’t turn your back on people who know less about computers and computer security than you do. Most people are desperate to be safer online, but the rapid pace of change makes it hard to keep track of what’s safe and what is not.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s