Koobface -- The Notorious Virus that can Bypass McAfee

Sample Message Sent by Koobface Facebook VirusI was browsing Facebook today when suddenly I was hit with a message from a friend. Naturally, I went ahead and looked at the message. It had a link to "YouTube" and me being my curious self, I clicked on it. What was brought up was not YouTube, but a piece of malware. Curious for writing a blog post, I opened it and tested it against my system knowing it was deletable. The malware's name is the Koobface worm.
Here was the message I got:

Sample Message Sent by Koobface Facebook Virus

On opening the link my friend "gave" me, I was immediately taken to a keyword-stuffed page. (I assume that this is to increase search rankings from an overload of visitors visiting the Koobface worm.)

[caption id="attachment_593" align="aligncenter" width="419" caption="This gives it away to me, but not to other susceptible typical Facebook users."]KoobFace Keyword Stuffing Page[/caption]

The only reason I would believe people would follow through with an action this stupid is because it came from a friend. Let me make this clear: Do not trust everything from Facebook friends! They could always have viruses that may be hard or easy to spot. Also, everything keyword-stuffed is traditionally spam. Anyways, back to my story...

I was then redirected to a page about a "funny video".

[caption id="attachment_594" align="aligncenter" width="430" caption="Hehe... soooo fake."]Facebook Virus Page Koobface Worm Fake Video[/caption]

The page looked fake and told be I needed a new version of Flash player. It automatically forced me to install the "new" version of Flash, and having nothing better to do, I installed it and watched the program rip.

Unfortunately, my updated version of McAfee didn't catch this program while I ran it with admin rights or downloaded it. Ayone else have this problem?

The KoobFace worm's setup.exe does set up Koobface. It downloads the worm's variant according to where you were referred from, either by Facebook, Myspace, Bebo, etc., and puts it into your startup programs. It saves a copy of itself in a folder (mine was the System32 folder) and stays there. My .exe's name was bill103.exe, but it varies between many other names.

The virus then impersonates things. On my computer, it went ahead and gave me some rogue security software. On other computers, though, it is known to steal data and solve CAPTCHAs.

It then hijacks your computer and uses it as a web server to help spread the virus, a.k.a. a BotNet. (That's where you get the weird ip addresses.) It's funny how this thing can turn into a web server on the first try but Apache cannot even do that 100% of the time...

If you want to see a sample page of Koobface, visit this Koobface Example Page (real deal).

If you want to know where to download this virus, I have it right here. DISCLAIMER: THIS IS THE KOOBFACE VIRUS DOWNLOAD. DO NOT BLAME ME FOR DAMAGES INCURRED ON YOUR COMPUTER. THIS IS FOR DEMONSTRATION PURPOSES ONLY.

By the way, don't worry; I have wiped the virus from my system.

For more on Koobface, please visit Trend Micro's The Real Face of Koobface.


Thanks for reading my post! If you enjoyed it or it helped you, please consider liking/tweeting this page, commenting, or following me on GitHub or Twitter!