Yet Another Koobface Attack!

     Koobface is a network worm that tries to propagate using social engineering techniques. While it mainly targets the popular social-networking site “Facebook”, it also targets other sites such as “Twitter” and “MySpace” as the vector for infection.

     On 10th March 2010, PC Tools’ Malware Research Centre found another Koobface variant lurking in Facebook. Like its predecessors, it uses existing Facebook accounts by hijacking them and trying to spread by generating a URL directing users to a malicious page. Visiting the malicious URL will redirects users to a webpage with malicious script forcing the user to download a malicious executable that poses as an installer for a video codec.

     Upon execution, this fake video codec silently drops a copy of itself, downloads its components, accesses fake AV sites and continuously monitors an unsuspecting user waiting for him/her to log in to his/her account so as to hijack it. It then uses the acquired account to silently log into Facebook Lite (Twitter version of facebook) to create another loop of infection.

Past reports could be found here

The Propagation Loop

     Koobface uses the hijacked account to send enticing URLs to the “walls” of an account holder’s friends as well as posting another URL to its own wall, in case one of its friends visited its profile.

     Once one of the account holder’s connected friends clicks onto the malicious URL, it will direct him/her to a page which contains a malicious script.

<script src=’[randomname].php’></script>

Here is an example of a page with malicious script:

(The text varies from time to time)

This php (mentioned above) will execute the following malicious code:

     Then from the list of IPs coming from the script, it will try to access it, adding “/go.js?/” to each IP.

     Successful access takes a user/account holder to another redirect page where the user is enticed to download the malicious file by way of a video codec:
Closing or clicking anywhere the page will download “setup.exe”

     Upon execution of the downloaded file, Koobface will then start to download and install itself to the user’s machine, stealthily running in the background waiting for the user to log into Facebook so as to hijack the account and infect another unsuspecting friend.
File Installation:

Koobface drops a hidden copy of itself in Windows Directory (one of the following):
  • %windows%bill[random chars].exe
  • %windows%pp[random chars].exe
  • %windows%fb[random chars].exe
  • %windows%freddy[random chars].exe
Koobface installs its components:
  • %system%erokosvc.dll (most probably a random filename)
  • %system%driversimapioko.sys (most probably a random filename)
where %windows% is the windows directory (usually, C:Windows)
where %system% is the system directory (usually, C:Windowssystem32)
Registry Installation:

     Koobface creates its own registry entry in order for the malware to be automatically executed upon every boot up.
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
    • sysfbtray = <path of the dropped file mentioned above>

Upon successful installation, the initial file in execution will be deleted, automatically executing and loading the dropped file and its components. The malware will now be running in the background and start its malicious motive—that is, to hijack Facebook accounts, access spam and fake AV sites as well as connecting to its own C&C Server.


     While the malware is running in the background, Koobface will be doing some of the following types of behaviours.
1. Bypassing Captcha
     It will first download and automatically execute its component files – bypassing captcha.
     From time to time, it will present a window mimicking the captcha test. The user will be forced to comply with this test since it disables other applications and prompts a message that the machine will shutdown unless a user complies. These “captcha” words will be used for creating accounts and/or sending messages. (More details on Koobface’s ability to resolve facebook’s captcha)

2. Contacting Rogue Sites
     Not only it does propagate but it also tries to connect and market rogue software to be installed in the computer’s machine, while running in the background

3. Hijacking Facebook Accounts
     And lastly, the main purpose of this malware – hijacking Facebook accounts for propagation.
     It continues to monitor the computer until a user logs into his/her Facebook account. Once logged-in, the malware will hijack the current logged in Facebook account and make its own session using Facebook Lite.
Then it will automatically send an enticing message that includes the malicious URL, to each of the user’s friends. And the propagation loop starts over.

     In time, the user will find out that he/she has sent a message that he/she didn’t send at all.
     And not only does Koobface send crafted messages unknowingly but also publishes an enticing post to the user’s own Facebook wall.

     Internet users are encouraged to be vigilant when visiting sites, even those coming from a known source. 
     Affected users are advised to immediately change their Facebook account password. The hijacked credentials may be used again as a vector for malware propagation with more dangerous intent.
     PC Tools detects this malware as Net-Worm.Koobface. It is recommended to make sure that your signature is up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.
This entry was posted in Virus News and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>