Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Koobface Kicking off the Festive Season

Created: 30 Nov 2009 23:10:54 GMT • Updated: 23 Jan 2014 18:30:58 GMT
Hon Lau's picture
0 0 Votes
Login to vote

The Koobface gang has been keeping themselves busy of late. Like Santa's little elves, they’re beavering away, creating and checking their fake Facebook and YouTube video sites and packin' it (the worm, that is) twice. The latest campaign involves posting messages on Facebook profiles, which link to either to fake video pages or a fake Facebook page. Either way you will be offered a file named setup.exe, which may be presented as a Flash Player upgrade or some kind of free antivirus to protect you from Koobface.

The lure is put forth in compromised or bogus Facebook postings. The text is largely the same, though the messages appear with duplicate letters in various parts of the posts. For example:

•    I caan't ffall asleepp affter viewwing thiss videeo. I haven'tt seenn aanything liike this
•    I can''t falll aslleep aftter viiewing thhis vvideo. I havven't seeen aanything likee thhis
•    I caan't ffall aslleep aftter vieewing thiss videoo. I haveen't seeen annything llike thiis

The list of permutations is endless—perhaps it’s a way of evading automated detection systems. The message is followed by a link. If the link is clicked, you’ll end up on a fake Facebook page like the one below:

It may also open up a video page such as the Christmas-themed one below, which offers you a new Flash Player to watch the Christmas-themed video:

We are currently detecting the file setup.exe as W32.Koobface.D. This is not the first Christmas-related malware campaign so far this year and it will certainly not be the last.