The KoobFace worm is still causing troubles in the wild. The picture below shows a malicious link which spreads through popular social networks. The link is sent from a trustworthy source (friends) inside the social network. A majority of users will most likely check it out.

If users choose to click the link, they'll be redirected to a malicious download site.

This site is constructed in a “phishing manner”. The malware authors use a reliable Facebook interface to entice users to download an upgrade of flash player in order to watch a non-existant video, as the picture above shows.

The next step in the social engineering chain is the download of a file called setup.exe. This is the “parent file” for the Koobface infection.  The worm will download and install additional malicious files without the user's consent. After a few minutes, unexpected browser windows will be opened.  The malware authors want to bring in money by pushing the user to install and purchase a fake anti-virus solution.

The KoobFace infection also drops a file called DDnsFilter.dll which redirects and controls the traffic. It lets users surf on google.com but blocks access to security sites like lavasoft.com and kaspersky.com, as the picture below shows. This functionality is built-in to actively prevent users from being able to clean the infection.

The bottom line: don’t trust links on social networks, even if they're sent by your best friend. Be especially cautious if the link leads to download a file with a .exe extension, which is considered suspicious behavior. Lavasoft Malware Labs detects this worm under the name Win32.Worm.KoobFace.

Albin

Lavasoft Malware Labs