more info From Wilki
Infection
Koobface ultimately attempts, upon successful infection, to gather login information for
FTP sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.
[7] It then uses compromised computers to build a peer-to-peer
botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.
[8] It was first detected in December 2008 and a more potent version appeared in March 2009.
[9] A study by the
Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the
University of Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.
[7]
Koobface originally spread by delivering Facebook messages to people who are "friends" of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the
Adobe Flash player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a
Zombie or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.
Several variants of the worm have been identified:
- Worm:Win32/Koobface.gen!F[10]
- Net-Worm.Win32.Koobface.a, which attacks MySpace
- Net-Worm.Win32.Koobface.b, which attacks Facebook[11]
- WORM_KOOBFACE.DC, which attacks Twitter[12]
- W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar[13][14]
- W32.Koobface.D[15]
- OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter
