W32.Koobface

W32.Koobface is a worm that spreads through social networking sites. W32.Koobface, an anagram of Facebook, is a worm that spreads primarily through social networking sites (hence the name) and uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements.

Infection
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.

The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.


Functionality
W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.

The worm is able to perform the following functions:

• Spread through social networks
• Steal confidential information
• Inject advertising into web browsers
• Redirect web browsing to malicious sites
• Intercept Internet traffic
• Block access to certain Internet sites
• Start a web server to serve as a command and control server for other Koobface infections
• Download additional files, such as updates to itself and other pay-per-install software that includes fake security products
• Steal software license keys
• Break CAPTCHAs
• Determine if a link is blocked by Facebook
• Create new Blogspot accounts and pages
• Modify the Hosts file

GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

• W32.Koobface.B
• W32.Koobface.C
• W32.Koobface.D

Antivirus (heuristic/generic)

• Packed.Generic.257
• Packed.Generic.287
• Packed.Generic.296
• Packed.Generic.306
• Packed.Generic.309
  
• W32.Koobface!gen
• W32.Koobface!gen1
• W32.Koobface!gen2
• W32.Koobface!gen3
• W32.Koobface!gen4
  

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System

• HTTP W32 Koobface File Download
• HTTP W32 Koobface Activity
• HTTP Koobface C&C Server Domains Request
• HTTP Koobface C&C Communication (Generic)
• HTTP Koobface C&C Update Communication