Today, computer virus, spywares, worms and Trojan horses are all over internet.
You never know when your online security, privacy and even identity would fall pray to some online rogue or cyber criminal. Among computer worms, it is Koobface which one of the most notorious viruses circulating nowadays.
Koobface is an anagram of Facebook and it was attacking Facebook users when it was created. However, today, it is not limited to Facebook. There have been cases of this virus infecting the computers of users via MySpace and Twitter. Koobface can infect Windows computer as well as Apple’s Mac, even if in different ways. Some other websites where Koobface successfully lured victims are hi5, Friendster and Bebo.
The modus operandi of Koobface to lure victims is such that victim never suspects what is coming for him/her once the computer would be infected. Koobface aims to infect the victim’s computer. So far, there has been no case of Koobface stealing the sensitive financial data of the victim. After infecting a computer, Koobface uses compromised computers to build a peer-to-peer botnet. Due to Koobface, a compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and it can also hijack the search queries to display advertisements. Its peer-to-peer topology is also used in showing fake messages to other users with the purpose of expanding the botnet.
Usually, Koobface posts a message on somebody’s profile as if it has been posted by his Facebook friend. For example, Person A and Person B are friends on Facebook. Person A sees a message on his wall from Person B that carries a URL link and a message like, “Hey, you look funny in this video” or “You look awesome in this video”. Actually, this message is from Koobface makers. Person A clicks on the URL and is redirected to another link, where he is provided with another link of “secret Tom Video”. When he tries to play the video, he is told that he needs latest version of Adobe Flash Player. The moment Person A clicks on the link provided to download Adobe Flash Player, his Mac’s security would be compromised and Koobface would infect his Mac.
Intego have made many security softwares and their blog was one of the first blogs to report that the Mac version of Koobface existed. In Mac, generally Koobface appears under names like OSX/Koobface.A and freddy79 fbtre6.exe fmark2.dat ld08.exe Ld12.exe.
Intego described Koobface in the following way:
This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet. The malware itself is made up of a number of elements, though in order to simplify, we will use the term “Trojan horse” to describe it. (Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.)
Following are some of the names and versions with which Koobface generally attacks social networking websites:
2. Net-Worm.Win32.Koobface.a, which attacks MySpace.
3. Net-Worm.Win32.Koobface.b, which attacks Facebook.
4. WORM_KOOBFACE.DC, which attacks Twitter.
5. W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.
7. OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter.
8. trojan.osx.boonana.a is another name for the Mac version of Koobface.
9. W32.Koobface.A (discovered by Symentac)
10. W32/Koobface.worm (discovered by McAfee)
12. Net-Worm.Win32.Koobface.a (discovered by Kaspersky)
Many times, Koobface, once installed in Mac or PC prevents anti-virus program from getting updated. So if you cannot update your antivirus, you may see this as a symptom of Koobface infection.
Usually, Koobface uses different modus operandis on all operating systems to prevent detection.
On 17 January 2012, the identity of gang members who allegedly created Koobface was revealed. All members often use some fake names also. According to investigation from various law enforcement agencies and media organizations, the names of alleged creators of Koobface are Ali Baba & 4: Anton Korotchenko, who uses the online nickname “KrotReal”; Stanislav Avdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by the name “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltyshev, or “Floppy.”
The New York Times reported last month that these guys live openly and freely in St. Petersburg, Russia and with their skills of hacking and developing worms and viruses, they have made so much money that according to pictures posted on their profiles on social networking websites, they have gone on vacations on locations like Bali and Turkey. Anton Korotchenko is also the owner of a popular adult website that receives a large number of visits from all over Russia and several East European countries everyday.
The identities of Koobface gang members have been known to Facebook and several law enforcement officers for long time. However, usually, the gang chooses East European countries as their base for activities like stealing information about Internet Protocol (IP) addresses, personal information and spread worms on Wi-Fi networks. East European countries lack co-ordination and cooperation with countries like United States and West European countries. Many of them do not have good relations with the Western world. That is why, despite the identities of Koobface gang known, police in such countries do not harass the gang members. None of these men have been charged for any offense. Nor any investigation agency has confirmed that they are under investigation.
Russia, has a reputation as a safe haven for hackers. Although it has pursued several prominent cases against spammers recently. The Soviet education system laid emphasis on math and science combined with post-Communist economic collapse. The private industry was weak. According to Vsevolod Gunitskiy, an assistant professor at the University of Toronto, there were many highly trained engineers, but few legitimate outlets for their skills. This led to the rise of many hackers in Russia and today, in the hackers’ community of Russia, the status of Koobface gang members is no less than that of a celebrity.
The terror of Koobface does not seem to end anytime soon because today there are Skolewcho, Tazinga, and Zbot are next-generation versions of Koobface.
There have been various softwares that can be used to remove Koobface from Mac. For Mac, Intego VirusBarrier X6 and X5 are considered as trust-worthy. This software from Intego can detect and remove Koobface from your Mac. SecureMac has also made some a tool to detect and remove Koobface from Mac. A tool from MacScan is free for first 30 days when you download it. Security Stronghold has made another software called Koobface Removal Tool 1.0.
NEVER use MacSweeper. It would NOT remove Koobface or any malware from your Mac. It would pretend to run a scan of your Mac and show exaggerated reports of various viruses and spywares in your Mac. It would get downloaded with another application that would infect your Mac. Once your Mac is infected, you would be left with no choice but to provide credit card details to MacSweeper for a $39.99 “lifetime subscription serial key”.
Now we will show you a tutorial that you should follow to remove Koobface from your Mac in case it gets infected. We cannot guarantee whether it would work or not because there are various variations of Koobface. However, this procedure has worked for many people. So we hope that it might work for you.
STEP 1 – Open the “Finder” window. Under “Devices” in the left side bar, select your Macintosh hard drive.
STEP 2 – Double-click on the “Library” folder. Find the folder “Internet Plug-Ins”. Double-click on it to view its contents. This is where malicious websites download malicious viruses onto your Mac.
STEP 3 – Look for any plug-ins that have been installed onto your Mac without your permission. The most common Trojan known to be harmful to Macs is titled “plugin.settings”. Send this file immediately into the Trash for removal. Remove any other plug-ins that you consider suspicious by dragging them into the Trash and then emptying it for permanent deletion.
STEP 4 – Search thoroughly and delete all suspicious Facebook applications from your account. To be as safe as possible, it is a good idea to remove all outside applications. Change some settings so that no applications would be granted permission to access your information and Mac.
There have been cases where hackers hack Facebook profiles and send messages to victim’s friends profile with links. When friends click on links, Koobface gets downloaded onto their system. Therefore, you should keep a strong Facebook password and never click on any online link without a second thought. Nor you should download any suspicious software.
Did you find this information on Koobface helpful? Share your feedback with us.