Koobface on the Loose as "flash_update.exe"

“Koobface”. Like “Facebook”, only sort of backwards. Clever.

Social networking worms like the Koobface family are a reality, and their prevalence shows on our threatfire community. Users of facebook need to be aware that links appearing on friends’ facebook pages may be links to malware downloads. Now, no need to stop clicking on links or visiting friends’ pages. But just because a link is on a friend’s page does not mean that the content at that link can be unconditionally trusted.

Basically, if you click on a link at a friend’s profile, and your browser is redirected to a video page, do not download and run the executable when prompted. The consistent and malicious “flash_update.exe” is being prevented in high prevalence on a daily basis in our community. The little trick here is a twist on the need to update Adobe’s Flash Player. But if you need to update your Flash Player, just go to Adobe’s site and update it there. Here’s an example from a Koobface distribution site already taken down:

Running the “flash_update.exe” download results in all sorts of problems for the user, including potential modifications to their own Facebook profile, prompting for captcha breaks, and others. The immediate result is an error message, “Error installing Flash Update. Please contact support”.

In the infections we’re observing this morning, an executable resembling the name “bolivar28.exe” is dropped to the system drive and run.

Update: the dropped executables, named “bolivar26.exe, bolivar28.exe” and so on, are copies of the original flash_update.exe files. A quick analysis shows them to be similar in functionality to the captcha crack scheming binaries previously observed in the wild. Also interesting is that these files are worming through and attacking other social networking sites like myspace.com, blackplanet.com, friendster.com, and bebo.com, in addition to its namesake.

This entry was posted in Online Fraud. Bookmark the permalink.

5 Responses to Koobface on the Loose as "flash_update.exe"

  1. B. Halsey says:

    Heh. My lovely wife just fell for this one. This is why I have my own computer. (and a Mac).

  2. Chelle says:

    I can’t get rid of it. I’ve run AVG, PC Tools, and Symantec. AVG found and supposedly healed “Koobface” but I still have the virus. No files named bolivar anything on my computer. Advice?

  3. Fred Sobotka says:

    Today I got a Facebook message from one of my friends with a link to the Koobface movie page. The site referenced in the Facebook message link was a GeoCities page that redirects to a rotating set of zombie sites that run web servers on port 7777 and serve up flash_update.exe.

    I didn’t run the update, but I saved it to see if AVG would recognize it as malware. It did not.

  4. thorsen1nk says:

    My browser is currently being crippled by this–how do I get rid of it??!?!?!

  5. thorsen1nk says:

    Found a DIY fix. Here’s the link: http://tinyurl.com/5wjrnd.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>