Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers. It was first detected in December 2008 and a more potent version appeared in March 2009.[3]
Koobface spreads by delivering Facebook messages to people who are ‘friends’ of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer’s search engine use and direct it to contaminated websites.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.
Several variants of the worm have been identified:
* Net-Worm.Win32.Koobface.a, which attacks MySpace
* Net-Worm.Win32.Koobface.b, which attacks Facebook.[4]
* WORM_KOOBFACE.DC, which attacks Twitter.[5]
* W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.[6]
