Net-Worm.Win32.Koobface

Detect Date 12/30/2015
Class Net-Worm
Platform Win32
Description

This malware family consists of Net-Worms that propagate primarily via the Facebook and MySpace social networks.

After infecting a computer, the malware obtains access to the user’s social network accounts. The malware then uses these accounts to send a link to multimedia content to all the user’s contacts. This link could be sent in a private message from the user of the infected computer, or else inside a comment on a social network page.

Clicking the link opens a malicious website that is disguised as a legitimate video hosting platform. Visitors to the website are asked to update the Flash Player or codec version on their computer.

If the proposed “updates” are installed, the computer is infected with Net-Worm.Win32.Koobface.

The infected computers are managed via a large peer-to-peer (P2P) network. When a command is received from the command-and-control server, malware on all the networked computers begins to replace the results of the user’s search requests with advertising content and installs unwanted software on the infected computer.

Main characteristics of this malware family:

  • Propagates via social networks.
  • Steals private data.
  • Inserts advertising into browsers.
  • Redirects the user to malicious websites.
  • Blocks access to certain Internet sites.
  • Relies on a command-and-control server to manage the infected computers.
  • Downloads various malicious files, including updates to the malware itself.

Geographical distribution of attacks by the Net-Worm.Win32.Koobface family

Geographical distribution of attacks during the period from 30 December 2014 to 30 December 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked
worldwide*
1 Vietnam 61.64
2 India 14.76
3 Saudi Arabia 4.23
4 Algeria 2.61
5 Nepal 1.32
6 Indonesia 1.25
7 Morocco 1.17
8 Thailand 1.05
9 Malaysia 0.92
10 Jordan 0.85

* Percentage among all unique Kaspersky users worldwide attacked by this malware