1. /
  2. Security Response/
  3. W32.Koobface

W32.Koobface

Risk Level 2: Low

Discovered:
August 3, 2008
Updated:
August 8, 2012 2:44:59 PM
Also Known As:
Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Koobface is a worm that spreads through social networking sites. W32.Koobface, an anagram of Facebook, is a worm that spreads primarily through social networking sites (hence the name) and uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements.

Infection
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.

The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.


Functionality
W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.

The worm is able to perform the following functions:
  • Spread through social networks
  • Steal confidential information
  • Inject advertising into web browsers
  • Redirect web browsing to malicious sites
  • Intercept Internet traffic
  • Block access to certain Internet sites
  • Start a web server to serve as a command and control server for other Koobface infections
  • Download additional files, such as updates to itself and other pay-per-install software that includes fake security products
  • Steal software license keys
  • Break CAPTCHAs
  • Determine if a link is blocked by Facebook
  • Create new Blogspot accounts and pages
  • Modify the Hosts file



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)


Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version August 3, 2008 revision 017
  • Latest Rapid Release version February 19, 2013 revision 016
  • Initial Daily Certified version August 3, 2008 revision 020
  • Latest Daily Certified version January 18, 2013 revision 017
  • Initial Weekly Certified release date August 6, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: 50 - 999
  • Number of Sites: 3 - 9
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Various activities including stealing of information and opening a back door.

Distribution

  • Distribution Level: Medium
  • Target of Infection: Spreads through social networking sites.
Writeup By: Eric Chien and Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver