Koobface - On The Run Again
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has monitored Koobface since it started spreading back in 2008.
Since its inception, Koobface has been spreading via Facebook, Friendster, MySpace, hi5, Bebo, and other social networking sites.
This past week, Koobface attempted another running campaign on Facebook.
If infected, Facebook users start to spam their friends with a link to a malicious Web site. When users visit the link, they are redirected various malicious and phishing pages. We detected these on numerous .be domains and TinyURL links. One such malicious page is a fake YouTube page that appears to be a funny video. The page tells visitors to to upgrade their Flash player in order to play the video, and the Flash setup program is actually Koobface malware.
Users who execute the setup.exe file infect their computer and download fake antivirus software, as you can see in the pictures below:
Among other things, a proxy server is installed on the infected computer.
Websense Messaging and Websense Web Security customers are protected against this attack.