The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:
The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.
Past posts on Koobface here.
If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.
