Koobface Gone Wild: flash_update.exe Emerges On Facebook Links

Have you heard about Koobface being a social networking worm now spreading malware through flash_update.exe (fake Flash Player updates)?

Koobface is almost "Facebook" spelled backwards in a since. Lately, some links on Facebook friend's pages were found to be malicious links to malware downloads through a hackers video page. The malware download comes from no other than the flash_update.exe file, something that we know first-hand about it spreading malware through social sites in the past.

It is no doubt that Facebook is a very enjoyable, safe at most times, social networking site. Facebook can be a serious nuisance if you are confronted by a Koobface worm distribution site. Usually the Koobface site is presented as a page that includes a video link via the old tactic of using a fake flash player update to spread malware. This warning should be something that you become educated on and not taken to heart as Facebook is still a safe and enjoyable social site to be on. We are not condoning clicking on any links on Facebook, we are just alerting you of real threats to be aware of.

Below is a screen shot example of the flash_update.exe file download on a malicious video page. [image source: ThreatFire Research Blog]

If you are ever confronted by a page that seems to contain a video and it offers an Adobe Flash update via the flash_update.exe file, it should be your responsibility to discontinue use of that particular web page. We have repeated it several times in other malware discoveries: Do not download Adobe Flash Player on any site other than Adobe.com! Adhering to this one rule will not only keep you from the Koobface worm but greatly reduce your chances of being infected by many other unknown malware parasites.

This Just In: Other executable files such as bolivar26.exe and bolivar28.exe are recently known to be a copy of or replace flash_update.exe on some malicious sites. Koobface has an MD5 of 3071f71fc14ba590ca73801e19e8f66d. Koobface maybe referred to as Worm.KoobFace.A, Worm.KoobFace.B, Net-Worm.Win32.Koobface.a or Net-Worm.Win32.Koobface.b.

The question has to be asked: Have you ever encountered a malicious link on Facebook or a link to a page the offers the download of flash player update from flash_update.exe? If you are one of the unfortunate and have downloaded and ran the flash_update.exe file then it may start to perform modifications to your Facebook profile or you may get error messages plastered on your screen. If you have not encountered one of these links then you can now etch in your mind that you will never download a flash player update from any website other than Adobe.com.