As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 18.104.22.168.
The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.
Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:
And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:
At some instances, we also get these warnings:
At the moment, these warnings are serving Internet Antivirus Pro.
Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec: