Friday, September 18, 2009

Koobface on the Move, Serving Scareware !!

We have been seeing a lot of new movement on the koobface front Lately.


As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.


Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:


The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:



At some instances, we also get these warnings:


At the moment, these warnings are serving Internet Antivirus Pro.

Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec:


No comments:

Post a Comment