Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > Pick Your Poison: KOOBFACE or FAKEAV?

    The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

    When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

    This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

    KOOBFACE Script
    Figure 1. Koobface Script

    The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, September 17th, 2009 at 10:06 pm and is filed under Botnets, Malware . Both comments and pings are currently closed.



    • abitowhit

      Does killing all IE processes abort over clicking on anything? A button is a button is a button, just cuz it says close, abort, quit or donottinfectme does not mean it will close, abort,quit or notinfectme. :)

    • Pingback: FAKEAV propaga nos links pagos dos motores de busca | Unsecurity .info - Segurança Web em Portugal

    • Pingback: Close Encounters of a Viral Kind | Geekazine.com

    • http://kerry.is-a-geek.org/upoccasionally Kerry

      Tons of people are falling for this. I have seen literally dozens of customers infected with Koobface and whatever flavor of rogue AV/AS is out this week. Looking for the installer for Green AV, SoftSave, and the latest Quick Heal Cleaner.

    • becca

      Help i got the fake av how do i get rid of it i updated from my 08 antivirus plus antispyware to the 2010 version but don’t think that got rid of it. Best buy where i bought everything including their black tie protection 12/2008 informed me today that it ll cost me $200 for them to do it!!!!Can you please tell me how to get rid of it

    • Pingback: UnderForge of Lack » Blog Archive » 2009.09.19 土曜日



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice