Wednesday, September 23, 2009

Koobface Virus attacking social network (Facebook included), be aware!!!

Yesterday I received an inbox message in my facebook account from one of my contacts. The subject was "Congratulations you are on TV". I knew right away it was a virus that has been circulating the social networks and facebook is no exception. For many years, another similar virus has been infecting chat messengers such as Live Messenger, Yahoo, etc. In this case, you will receive an offline message and a link from someone in your contact list that suggests you to click it.

However, in social networks such as facebook, myspace, etc the virus is spreading by sending a malicious inbox / e-mail message with subjects like these:

Great luck! You were caught by a secret camera!
What are you doing on this video?
And what if your spouse see this film?
Very interesting: is it really you on this clip?
You should be ashamed by this behavior.
This video from our weekend.
Congratulations! You are on TV!
New (Celebrity Name) Video Clips!
You were on TV!
Our video from last weekend!
You look awesome in this video!
and the subject varies to get your interest!


In the message there is a link to a "video". The link will take you to a site that looks similar to YouTube, or other video sites, and tells you that you need to install a codec, player or an update to view the video. Sometimes it just gives you another link that says "Click Here / Click Here To View" or "Flash Player upgrade required". When you install the file, you are installing a virus. The virus will essentially hijack your facebook account and will send out a similar message to all your friends in your contact list.

Last night I noticed that the modus operandi has been upgraded, now it posted a video link on the wall (profile page) on facebook. Of course having it posted on the wall doesn't mean that the account is infected with the virus. The purpose is to instigate curious minds to check and click on the video link. So if you think a suspicious video link is posted on your wall, please don't click on it and remove it right away even if it is from someone you know. Confirm with your friends if they really send you the video and if it's safe. There is a possibility that their account might be infected with the virus too.

A sample of a malicious video link posted on the facebook wall. The source differs each time. The same link posted on my wall twice with different source.


So what is Koobface virus and what it does?


The Koobface worm was first detected by Kaspersky Labs as Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.b. It is also know as Boface and many other aliases. It sends and posts fake comments and messages with malicious links. After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes them off to a fake codec site specifically designed for the social network they came from. After a user visits a malicious site and unknowingly downloads the malware, the worm searches for cookies created by online social networks. Once Koobface finds the social networking cookies, it makes a DNS query to check IP addresses that correspond to remote domains. The server is then able to send and receive information regarding the infected machine and perform remote commands on the victim's PC. For example: an infected PC could send an instant message claiming to be from a "friend" saying "check out last night party video." Intrigued, the victim's friends clicks on the message to view the clip and their computers become infected and part of a botnet. The cycle repeats itself.

More info on Koobface by Microsoft

Is Koobface a trojan?

The Win32/Koobface becomes a threat when it starts to fabricate fake pop-up advertisement or messages that promote installation of it's affiliated programs. For example, the Win32/FakeXPA that comes under a fake file name such as "coderupdate.exe", "codecsetup.exe" or whatever, which is actually a backdoor Trojan. So please dont' ever download and install codecs from random unauthorized websites.

Malwarebytes detects Koobface as Trojan.Koobface.

What to do if you are infected? How to remove Koobface from your infected Computer?

1. Reset your password immediately.
2. Run a scan on your computer to check if you are infected with the virus. There are several free online scanners, I recommend Kaspersky Lab. Once you detect the virus, you can remove it using the Remove Virus Tool. Another good application is the Malware Bytes Anti-Malware.
3. Please do not install unknown Koobface removal softwares from random websites such as the "Koobface Removal Tool", it might be associated with the virus itself and infected with a trojan that will create a hole in your security system.

How to remove the Win32 Koobface manually?

I strongly advice against this unless you have sufficient expertise in dealing with program files, processes, .dll files and registry entries. This manual removal process may be difficult and you run the risk of destroying your computer.

Step 1 : Use Windows Task Manager to Remove W32.Koobface.B Processes

Remove the "W32.Koobface.B" processes files:

C:\Windows\fbtre6.exe

Step 2 : Use Registry Editor to Remove W32.Koobface.B Registry Values

Locate and delete "W32.Koobface.B" registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"

Step 3 : Detect and Delete Other W32.Koobface.B Files

Remove the "W32.Koobface.B" processes files:

C:\Windows\fmark2.dat
C:\Windows\fbtre6.exe

Again, I remind you not to try this unless you know what you are doing or you might end up damaging your computer.

Sources and Other Related Articles:
1. New Koobface Virus Messages Malware to Friends
2. Koobface Remains Active in Facebook
3. Koobface Facebook and MySpace Worm Infects Users with Trojan Disguised as codecsetup.exe
4. ThreatExpert's Statistics for Worm.32.Koobface [Ikarus]

Sunday, September 20, 2009

Selamat Hari Raya Aidilfitri


Kee Heritage ingin mengambil kesempatan ini untuk mengucapkan Selamat Hari Raya Aidilfitri, dan mohon maaf atas segala kesilapan dan terkasar bahasa selama menulis di dalam blog ini.