14 DAY TRIAL // Security researchers warn that the latest Koobface variant drops a scareware program, which severely impacts the victim's ability to use the infected system. The application, which poses as an antivirus, makes Web browsing impossible and prevents almost all programs from running.
Koobface is a computer worm, which spreads on social networking websites. It was originally created for MySpace, but it now targets users of many such sites, including Facebook, Twitter, hi5, Bebo and Friendster. The worm relies heavily on social engineering to lure people onto malicious pages and infect them.
The attack normally starts with spam messages about interesting videos, which contain links to external page. These external sites regularly mimic YouTube, and present users with fake alerts claiming a special codec or a Flash Player update is required to see the video.
Of course the executable file served for download is actually the installer of the worm, which once installs proceeds to send email spam from the infected computer. It also steals the victim's social networking login credentials and uses them to post rogue message from their profiles.
“Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems. Since then the authors have taken a giant leap toward invasiveness with the installation of a fake anti-virus Trojan,” security researchers from McAfee warn.
The rogue program is called “AV Security Suite” and bombard users with fake security alerts about fictitious infections. This is not unlike other programs in the FakeAV family, however this application borders on ransomware.
First, it installs a local HTTP proxy and forces all browser requests to pass through it. This prevents users from accessing any website and instead they see a page displaying a bogus security warning instructing them to purchase a license for the rogue security software.
Opening executable files is also blocked and will generate a similar warning, requesting immediate activation of the program. As always, users are advised to exercise caution when choosing to visit links spread on social networking websites and never surf the Web without an up-to-date antivirus installed.
You can follow the editor on Twitter @lconstantin
