Researchers with McAfee Labs have observed a significant spike in URLs leading to Koobface malware.
Well known for targeting users of social networks such as Facebook since it first appeared on the scene in 2008, Koobface sends false messages and comments to the victim’s friends and redirects them to a malicious Website. From there, it tries to steal log-in credentials and repeats the pattern to infect new users.
“Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems,” blogged McAfee researcher Craig Schmugar. “Since then the authors have taken a giant leap toward invasiveness with the installation of a fake antivirus Trojan. About 10 minutes after the initial infection, users may see the typically fake scanning windows and infection alerts… It’s all downhill from here.”
The Trojan acts as an HTTP proxy and configures Internet Explorer to route HTTP requests through that proxy, he continued. It then blocks access to everything but the site to purchase the fake antivirus software and a handful of adult entertainment sites. It also blocks another component of Koobface designed to display pop-ups and redirect search result links, leaving the user with Koobface created pop-ups that display fake error messages.
The payload also prevents many executables from running, making the computer relatively useless.
“The vast majority of Koobface infections come from users who “choose” to run the virus,” Schmugar blogged. “They are tricked by the social engineering used by the authors, who prey on people’s curiosity and thirst to view some enticing video.”
The advice – be careful what messages and links you click on or open.