Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

    When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

    This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

    KOOBFACE Script
    Figure 1. Koobface Script

    The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • abitowhit

      Does killing all IE processes abort over clicking on anything? A button is a button is a button, just cuz it says close, abort, quit or donottinfectme does not mean it will close, abort,quit or notinfectme. :)

    • Pingback: FAKEAV propaga nos links pagos dos motores de busca | Unsecurity .info - Segurança Web em Portugal()

    • Pingback: Close Encounters of a Viral Kind |

    • Kerry

      Tons of people are falling for this. I have seen literally dozens of customers infected with Koobface and whatever flavor of rogue AV/AS is out this week. Looking for the installer for Green AV, SoftSave, and the latest Quick Heal Cleaner.

    • becca

      Help i got the fake av how do i get rid of it i updated from my 08 antivirus plus antispyware to the 2010 version but don’t think that got rid of it. Best buy where i bought everything including their black tie protection 12/2008 informed me today that it ll cost me $200 for them to do it!!!!Can you please tell me how to get rid of it

    • Pingback: UnderForge of Lack » Blog Archive » 2009.09.19 土曜日()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice