Koobface Hijacks and Redirects Google Search Results to Third-Party Sites

When hackers are not busy thinking of new ways to convince user to purchase rogue security software, they're busy committing click fraud to earn extra money. As demonstrated in the video below, you will notice how when the user clicks on a particular result that points to a particular link, a Worm or Trojan (with rootkit capabilities) causes the Google search result to be redirected to random ad-filled websites. Click fraud is a tactic which hackers take advantage of simply because they can sign up to different affiliate advertising programs and receive payment for referring traffic to a website.

Upon further analysis, the malicious files discovered on the infected machine belonged to a variant of Worm.Koobface, which is a notorious worm known to spread on Facebook, Twitter and MySpace. The Koobface files were as follows:

• C:\Windows\sYSteM32\SvchOst.eXE -k fioo32
• C:\Windows\system32\drivers\fio32.sys
• C:\windows\system32\fio32.dll

This video was taken from a user's computer who came to us because he had a Koobface infection and could not remove it.

Koobface uses social networks as a platform to earn a user's trust by creating phony messages that include a malicious link and sends it to the contacts (list of friends) of infected users. The malicious link redirects a user's unsuspecting friend to a website (masquerading as the social network) that installs malware when the friend tries to play a video. The malware linked to Koobface is designed to route users to websites that are used to host ads targeted for click fraud and infects users by sending them to websites that warn them of a spyware threat on their computer and suggests an antispyware program to download, which is really a rogue anti-spyware. The scheme is so convincing that the user does not know that the Google search results were hijacked and the site that they clicked on is not the one they were intended to see and that they're about to download fraudware.

Search hijackers have been very popular as of late but date back to the beginnings of internet advertising. What's interesting and frightful is the subtle manner the Trojan alters Google results and displays their own results disguised as organic Google results, making it indistinguishable from the real thing. This hijacking method easily confuses computer users into believing that the results are directly coming from Google.com. Once a user clicks on a link from the hijacked search results, he/she gets redirected to various websites, and not to where the user should be directed. Laura Mather, chair of the Antiphishing Working Group's Internet Policy Committee, quoted as saying on DarkReading article "Consumers don't know how to look at URLs to tell where they are going..."

Unfortunately, most computer users are not even aware of their computer being infected with a malware threat such as a trojan, worm, or botnet until it has already engrossed itself deep within the system. So even though a user's computer may seem to be operating normally, the infection may be conducting a range of malicious activities.

A malware threat can take advantage of security holes on the IE browser and make changes to entries to the HOSTS file so when the user types a website, he/she gets redirected to the IP address of a scam site or sponsored search. What's worse, users may be looking at a familiar site, for example nytimes.com (the New York Times website), and a popup ad window may be launched intended to look like a Windows notification saying spyware has been detected on the computer. The fake Windows notification is used to trick users into downloading, installing, and eventually purchasing the rogue anti-spyware program to remove the imaginary spyware.