Q&A about the Koobface virus

Naked Security’s Paul Ducklin answers some questions about the Koobface virus to go with the SophosLabs report: The Koobface malware gang – exposed!

Most of the sections also provide links to related articles, podcasts and videos which we think you might find interesting.

* What is Koobface?

Koobface is a computer worm which spreads via social networking sites.

Most social networking spams and scams spread on social networks because users inadvertently recommend them to their friends. Koobface is different. It actively infects your PC and then it deliberately propagates itself via social networking sites.

Koobface knows how to create its own social networking accounts so that it can aggressively post links helping it to spread further.

* How does Koobface get onto my computer?

The most common infection method is through a fake video player.

If you click on one of the links which Koobface has posted on-line, you’ll end up at a web page – typically a fake YouTube or Facebook Video page – pretending to offer you a clip to watch. But first, claims the web page, you need a Flash update.

The video player update is as fake as the web page: it’s actually just an installer for the Koobface virus.

* Does Koobface do anything more than spread?

Yes. Koobface is what’s called a zombie, or bot. Infected computers regularly connect back to so-called C&C (command-and-control) servers in order to upload stolen data or to fetch instructions on what to do next.

A group of PCs infected with a bot is known as a botnet, short for robot network.

* What’s the worst that could happen if I get infected with Koobface?

Koobface, like most zombie networks, includes a general-purpose command so that the botmasters (the cybercrooks operating the botnet) can instruct your PC to download and run any other software of their choice.

In short, once you’re infected, almost anything could happen.

That’s why it’s important to remove malware infections as soon as possible. Otherwise you may become an unwitting participant in whatever the crooks decide to turn their hand to next.

* How do I get rid of Koobface if I’m already infected?

Any decent anti-virus should be able to detect and remove Koobface, along with the hundreds of thousands of other malware samples we come across every day.

But be wary of unsolicited phone calls, or unexpected web popups, offering virus cleanup for a fee paid over the internet.

If you can’t fix the problem yourself, try asking friends and family for a recommendation. Choose a local company who will help you face-to-face (some even do house-calls) if you can.

* What else I should do after disinfecting the Koobface virus?

Koobface, and most other malware, runs in the background on your PC. This means it can monitor everything you do, including stealing usernames and passwords.

After removing any malware, especially zombie malware, it’s a good idea to change passwords on all your on-line accounts. And keep an eye on your bank statements, just in case.

* How can I avoid getting infected in future?

– Keep your patches and your anti-virus up-to-date. This won’t stop 100% of threats, but it will stop most of them, including Koobface.

– Don’t be tempted by links on social networking sites just because they look cool. A little caution goes a long way.

– Never download video player software just because a site offers you an update. Reputable sites will explain what you need so you can seek it yourself, rather than trying to trick you into downloading what they want.

* Why haven’t the cops arrested the alleged Koobface gang members yet?

Unfortunately, investigations into cybercriminality typically take a long time – often, years.

The crooks, the victims and the evidence are typically distributed through many legal jurisdictions. This makes co-ordinating investigations, charges and prosecutions much more complex than handling crimes which happened in one city or country.

For example, an anti-cybercrime operation called Operation Trident Tribunal, announced by the FBI in 2011, took two years. It required the involvement of law enforcement from 12 countries: the USA, Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the UK.

* Aren’t social networking sign-up pages protected by CAPTCHAs?

A CAPTCHA is a Completely Automated Procedure for Telling Computers and Humans Apart. When you see one of those web forms with hard-to-read text that you need to type in, that’s a CAPTCHA. Computers aren’t supposed to be able to solve such puzzles.

Koobface “solves” CAPTCHAs, but by cheating. When it needs to solve a CAPTCHA to register a new account, it sends the CAPTCHA image to another PC in the botnet.

The CAPTCHA is presented to the user of the other PC in a bogus security popup. If they respond in time, the answers are sent back and used by Koobface to “prove” it could answer the challenge.

* Didn’t the victims of Koobface bring it on themselves by foolish clicking?

This question really means, “Didn’t the victims make an informed decision of their own to run the Koobface installation program?”

In most cases, “Yes.” And that was a mistake.

But this doesn’t make them any less victims. It’s not a crime to be naive. It is a crime to trick someone into installing malicious software under false pretences.

Don’t turn your back on people who know less about computers and computer security than you do. Most people are desperate to be safer online, but the rapid pace of change makes it hard to keep track of what’s safe and what is not.

7 comments on “Q&A about the Koobface virus

  1. Seems that the entire world is a Pandora’s Box full of cybercrime.In the late 60’s, my college computer LAB took up an entire block on campus, and Fourtran iv was what we learned, using IBM cards Wow. killing ourselfs.

  2. my computer is infected. I am running windows 10. All of a sudden I get this pop up screen last night- to call a number, was in Iran. Said that I needed to pay $300. I cannot even get past the “passcode” screen to try and get into safe mode- can’t do it with F8 or the “Windows” key. Help

    • Same thing happened to me tonight. The guy i spoke to said that if i didnt pay the $319 then my computer would be useless. I removed the battery from my laptop and turned it back on and the passcode thing was gone. I have reset my computer and am still waiting for it to finish to see if it works

  3. I got the same pop up about my computer being infected, and I called the number, and they also claimed to be a part of Microsoft, now my computer is infected with koobface and other various viruses and worms, however I had a scheduled boot time scan that caught it right away, however half my hard drive is locked out, what should I do?

  4. I, too, was scammed by GeekBase. Koobface was also
    involved. Not so sure these scammers aren’t the hackers! Who can I trust to help clean up this mess? Looked up Geek Squad and found many negative comments. Maybe I should give up the computers–can’t get infected if we don’t have one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s