Koobface

In Koobface is a computer worm that Windows - macOS and - Linux systems attacked. The targets of the attack are credentials from social media websites such as Facebook , Skype , Yahoo Messenger and Twitter , as well as e-mail websites such as Gmail , Yahoo Mail and AOL Mail.

infection

The goal of Koobface is to collect the login data from FTP sites, Facebook, Skype and other social media websites after a successful infection , as well as to obtain confidential financial data. Already compromised computer then unite to form a peer-to-peer - botnet . Thanks to the peer-to-peer structure, commands are passed on to or received from other computers. The botnet is used to install additional malware and also to redirect search queries to advertisements. The botnet is also used to send fake messages to friends who are users of social media sites in order to spread the word even further. Koobface was first discovered in December 2008; a more effective version appeared in March 2009. A study by Information Warfare Monitor, a merger of SecDev Group and Citizen Lab at the Munk School of Global Affairs at the University of Toronto , found that the botnet operator had sales of $ 2 million from June 2009 to June 2010.

Koobface originally distributed itself by sending Facebook messages to “friends” of the user whose computer was already infected. The content of the message was a forwarding to a third party (or another computer already infected by Koobface), on which the user was asked to download an update of the Adobe Flash Player . When the loaded file is executed, the computer becomes infected with the Koobface worm. The worm is then able to use the computer's search engine to redirect it to websites infected with other malware. Links to third party websites can also be posted on a friend's Facebook wall that contain comments such as “LOL” or “Youtube” and a link. If the link is opened, the Trojan infects the computer and the PC becomes a zombie or a host computer.

One of the components downloaded from Koobface is a DNS filter program that blocks access to well-known security service providers' websites. It also installs a proxy program that enables the attacker to abuse the infected PC.

Several variants of the Koobface worm could be identified:

• Worm: Win32 / Koobface.gen! F
• Net-Worm.Win32.Koobface.a, attacks Myspace
• Net-Worm.Win32.Koobface.b, attacks Facebook
• WORM_KOOBFACE.DC, attacks Twitter
• W32 / Koobfa-Gene, attacks Facebook , Myspace , hi5, Bebo , Friendster , myYearbook, Tagged, Netlog, Badoo and fubar
• W32.Koobface.D
• OSX / Koobface.A, a macOS version that is distributed via social networks such as Facebook, MySpace and Twitter.

The New York Times reported in January 2012 that Facebook plans to release information about the Koobface gang, as well as the names of those who Facebook believes to be responsible. Research by German IT manager Jan Droemer and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research was of great help in uncovering the people behind the Koobface worm. The following five suspects are named in the Facebook publication of January 17: Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan) . The group sits in Russian Saint Petersburg and is sometimes Ali Baba & 4 called, with Stanislav Avdeyko as leader. The investigation was also able to link Avdeyko to the CoolWebSearch spyware.

Web links

• The Koobface malware gang - exposed! , research by Jan Droemer and Dirk Kollberg.
• The Real Face of KOOBFACE , analysis by Trend Micro.
• Researchers Take Down Koobface Servers , Slashdot article.

Individual evidence

1. ↑ https://news.softpedia.com/news/New-Koobface-Variant-Infects-Linux-too-163450.shtml
2. ↑ Worm: Win32 / Koobface.gen F! . In: microsoft.com . Microsoft. Retrieved February 3, 2015.
3. ↑ Koobface malware distribution technique - automatic user account creation on FaceBook, Twitter, BlogSpot and others ( Memento of the original from March 28, 2010 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.finjan.com
4. ↑ WORM_KOOBFACE . In: trendmicro.com . Retrieved February 3, 2015.
5. ↑ Sophos stops new version of Koobface social networking worm . In: Naked Security . Retrieved February 3, 2015.
6. ↑ The Allure of Social Networking, describes Win32 / Koobface affecting multiple social networks as described on CA's Security Advisor Research blog ( Memento of the original from July 22, 2011 in the Internet Archive ) Info: The archive link was inserted automatically and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / community.ca.com
7. ↑ W32.Koobface.D . In: symantec.com . Retrieved February 3, 2015.
8. ↑ Intego Security Memo: Trojan Horse OSX / Koobface.A Affects Mac OS X Mac - Koobface Variant Spreads via Facebook, Twitter and More - The Mac Security Blog . In: The Mac Security Blog . Retrieved February 3, 2015.
9. ^ Web Gang Operating in the Open
10. ↑ ^{a b} The Koobface malware gang - exposed! - Naked security . In: Naked Security . Retrieved February 3, 2015.
11. ↑ Facebook credits UAB with stopping international cyber criminals, donates $ 250,000 to school . In: AL.com . Retrieved February 3, 2015.
12. ↑ Emil Protalinski: Facebook exposes hackers behind Koobface worm . ZDNet. January 17, 2012. Retrieved January 20, 2012.