Koobface Worm Is On The Move Again Attacking Facebook Users

First, from my research on the various security sites, the Koobface worm made its appearance back in August of last year, over 6 months ago. So why is Koobface (a variation of the word ‘Facebook’) back in the news? Well, according the news wire, there seems to be a new variant that is starting to run rampant on Facebook and it’s starting to jump across to infect other social networks:

… Indeed, Facebook has seen five different security threats in the past week. According to Trend Micro, four new hoax applications are attempting to trick members into divulging their usernames and passwords. And a new variant of the Koobface worm is running wild on the site, installing malware on the computers of victims who click on a link to a fake YouTube video…

Here is a shot from the Trend Micro blog. A YouTube moment that may look pretty familiar to all of us:

Fake YouTube Website; Credit: Trend Micro Rik Ferguson

The Facebook link that you get from your friend takes you to a spoofed YouTube page and asks you to update your Adobe Flash Player by clicking “Install”. Looks innocuous enough, but this piece of social engineering starts the download and installation of the Koobface worm and the eventual zombification of your system.

And I’ve got friends who wonder why I refuse to let anyone else touch my rig.

All it takes is one person who want’s to “check their email account” or “check their Facebook account” …and WHAM! It’s “Night Of The Living Dead Laptop”.

You can read the rest of Rik Ferguson’s post from Trend Micro here entitled New Variant of Koobface Worm Spreading On Facebook.

So this raises three questions:

1. How do I know if my rig is infected?
2. How do I get rid of the thing if I do have it?
3. How do avoid getting it in the first place?

Well, in terms of question 3, Michael Argast, security analyst at Sophos has a few suggestions:

… Argast said people can protect themselves by running up-to-date antivirus software, restricting which Facebook applications they install, thinking twice before clicking on links from friends and never, never installing a codec from some random Web site in the hopes of catching some celebrity in a compromised situation.

Simple enough.

Vigilance is still the word of the day. This still leaves questions one and two.

As for question number 1, this thing appears to be detectable through your antivirus programs. So keeping your antivirus software definitions up to date and your system scanned should be enough to determine if your system has been compromised.

If you don’t have an up to date antivirus definition or you aren’t running an antivirus package at all, eset.com offers an online antivirus scanner service that will scan your system for threats and remove them.

There are two advantages to this. First, you can bet that they keep their definitions up to date. Second, the antivirus scanner is free. And in this economy, free is a good thing.

It doesn’t work on prevention, however. For that service, you have to shell out the bucks. But if your system is operating sluggishly and you are looking for a way to clean things up, this would certainly be the way to go. See the side bar under resources for the eset antivirus scanner service. To get a blow by blow description of what will happen when you start the scanner, see my post on the ESET antivirus scanner service or the post on the Panda Security Malware scanner.

As for point two, well the removal process is a little more involved. If you are tech savvy, you can find the details here at the Trend Micro virus encyclopedia. However, if the thought of modifying the registry sends you into a state of panic, leave a comment below and I’ll do what I can to help you get this thing out of your system.