Update: Facebook Security Fighting Koobface Worm, Chain Letters

August 26th, 2008

By Justin Smith

As many users are aware, Facebook has been fighting mounting security threats in recent weeks. Developers and analysts alike want to know more about what’s happening and what Facebook is doing to contain the threats, so here’s the story:

The Problems

1. A variant of the Koobface worm, originally detected by Kapersky Lab a few weeks ago, has been increasingly spreading on Facebook in recent weeks. Here’s how it works:

Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.

Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.

2. In addition, recent chain letters have started to spread across Facebook with various types of misinformation, including messages like “Facebook is going to start charging you to use the site,” “Facebook is going to start shutting down accounts that aren’t active enough,” etc.

Facebook’s Response

Facebook has responded in a number of ways:

1. Facebook is deleting content generated by the worm (Facebook says they have “again contained” it) and spammy chain letters.

2. Facebook is posting updates on the status of security issues to the Facebook Security Page and publishing best practices for users to avoid phishing attacks, like these and these.

3. Facebook is asking users to pass on the following information:

We will never use any of the following methods to tell you information, or ask for you to take an action:

Your Wall

An inbox message from a friend—in other words, chain letters.

Messages spread through Applications—if an application is telling you that Facebook is about to shut down, report it.

Since there’s been a lot of wrong information about Facebook spreading around, we’d like to clarify a few things for the record:

We are not shutting down accounts that are not “active” enough.

We are not going to start charging you to use Facebook.

We will never ask you to send us your password or login information.

We will never put the responsibility on YOU to send information to your friends. If we have information we need to share, it’s our job to get the word out.

When we do communicate to you about the site (with the exception of posts made on this blog) it will always be from a collective Facebook. You won’t hear from me, personally, or from Mark, or from Dustin, or from any of the Facebook bloggers you’ve seen here.

So the next time you see a chain letter, chain wall post, or chain anything, report it to our User Operations team, and tell all your friends to ignore it. We could make a joke here about passing this entry on to ten of your friends, but that’s not cool.

4. Facebook is blocking Wall posts that contain links to known phishing sites:

5. Facebook is improving its automated systems to automatically detect abuse on the site more quickly.

6. Facebook is pursuing many of the perpetrators (the company sued alleged Facebook account hijacker Adam Guerbuez last week).

Conclusion

What do Facebook’s recent security issues mean in the long run? Ultimately, it’s vital for everyone involved in the Facebook ecosystem that Facebook continue to invest in security detection and prevention. Everything in Facebook depends on user trust, and everyone wants these issues to be have as little impact as possible.

Check out The Facebook Marketing Bible: 50+ Ways to Market Your Brand, Company, Product, or Service Inside Facebook.

Digg this

Bookmark on Delicious

Filed in Facebook, Legal

Inside Facebook Sponsors

30 Responses to “Update: Facebook Security Fighting Koobface Worm, Chain Letters”

Nick Stamoulis Says:
August 27th, 2008 at 6:49 pm
I’ve received 3 spam chainletter wall posts in a month – ridiculous.
april Says:
August 30th, 2008 at 1:24 pm
So, if you HAVE clicked on one of those links, what do you do?
Pip Says:
September 4th, 2008 at 2:13 am
Yes, I’d like to know that too! I’ve infected my computor, Is there a fix
Inside Facebook » Facebook Responds to Wall Post Spam With New Security Feature Says:
September 12th, 2008 at 12:08 am
[...] further response to recent security issues Facebook has been facing from worms and chain letters, Facebook has released a new security feature [...]
Caroline Chaychuk-Reynolds Says:
September 15th, 2008 at 4:42 am
Help .My Facebook has been infected. It happened when Facebook changed over. I cant access my status,notifications and I cant send messages to anyone HELP!!
Laine Says:
September 17th, 2008 at 5:39 am
I got infected with Koobface and after trying out half a dozen antivirus programs the only one that worked was Antispyware, which I had to pay about $40 for. I then had to reconfigure my internet to not use a proxy connection.

If you get a box on your internet that pops up saying tinyproxy1.exe has stopped working, then you’ve got the virus.

My advice would be to not click on any links on facebook.

Laine
Dave L Says:
September 25th, 2008 at 1:38 am
I got infected with Koobface and I ran a full system scan with Symantec Antivirus software, it found it and removed it – so that’s my advice.

Dave
Linda Says:
September 30th, 2008 at 3:52 pm
McAfee removed Koobface today FINALLY
Jo Says:
October 12th, 2008 at 1:28 pm
I’m really confused. Please help me. I pressed the codec exe link by accident and the flash file saved onto my desktop. I didnt open it and Mcafee says im not infected. Is Mcafee correct? I updated it just today. thanks
Alicia Says:
October 15th, 2008 at 5:18 pm
Hello,
My work PC has been infected with the koobface worm from a fake facebook message from one of my friends.

I ran a virus scan yesterday on my work PC and it found the virus twice and said it’s been removed and a scan came out clean today BUT my PC is still playing up. Could it be hiding somewhere?

Also: If I log onto facebook at home will it infect my home PC also?
Marguerite Core Says:
December 5th, 2008 at 12:24 am
I have infected my roommate’s laptop with Koobface, yikes. Ran the AVG which said that it removed it, now the computer is just frozen on reboot. What do I do?
Koobface Virus Still Making The Rounds On Facebook Says:
December 5th, 2008 at 5:57 am
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
Koobface Virus Still Making The Rounds On Facebook | Tech News and Information Says:
December 5th, 2008 at 6:25 am
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
Koobface Virus Still Making The Rounds On Facebook : VCsAndAngels - Venture Capital / VCs, Angel Investors, Startup News, Etc Says:
December 5th, 2008 at 6:31 am
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
Open Systems Journal » Blog Archive » Koobface Virus Still Making The Rounds On Facebook Says:
December 5th, 2008 at 6:41 am
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
Koobface Virus Still Making The Rounds On Facebook | My Blog Channel Says:
December 5th, 2008 at 7:26 am
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
注意―SNSを狙うKoobfaceウィルス、Facebookで感染拡大中 Says:
December 5th, 2008 at 9:17 am
[...] 昨日（米国時間12/4）、Facebookを狙うウィルスが増殖中だという報告が現れ始めた。このマルウェアは完全に新しいものではない。（最初に現れたのは8月）。しかしその後SNSをターゲットにするよう改変され、現在、Facebookで急激に増殖中のようだ。このウィルスは友達からのメッセージを装って侵入を図るので、感染が爆発的に拡大するおそれがある。Koobfaceのメッセージには「You look so funny on our new video〔新しいビデオにキミが写ってるよ。とってもおかしい〕」などといった表題が付けられており、動画が保存されていると称するサイトへのリンクが含まれている。ユーザーがビデオを見ようとしてリンクをクリックすると、「再生には最新のFlash Playerのダウンロードが必要です」というメッセージが出る。こうしてユーザーを騙してウィルスを含んだファイルをダウンロードさせるわけだ。このウィルスの以前のバージョンはMySpaceをターゲットにしていたが、MySpaceがセキュリティーを強化する措置を取ったためすぐに退治された。現在Facebookはセキュリティーのページでユーザーは最新のアンチウィルス・ソフトを使用すること、もし感染していた場合はパスワードを変更することなどを勧めている。Facebookは特にパスワードの変更を強く推奨しており、ユーザーへのメール中でウィルス感染のおそれがあることを注意している。Facebookの1億2000万のユーザーのうちで、果たしてどれほど感染者が出ているのか、正確なところは分っていない。こういった感染を防止するには、たとえ友達からのメールのように見えても、予期せぬ添付ファイルは開かないのがいちばんだ。さらに詳しい情報とスクリーンショットがここに。（画像はMaximumPCの好意による）CrunchBase InformationFacebookInformation provided by CrunchBase[原文へ]（翻訳：Namekawa, U） ShowListings(“arc3″); ShowListings(“arc2″); AddClipsUrl = ‘http://jp.techcrunch.com/archives/20081205koobface-virus-still-making-the-rounds-on-facebook/’; AddClipsTitle = ‘注意―SNSを狙うKoobfaceウィルス、Facebookで感染拡大中’; AddClipsId = ‘2CBE02C952CFE’; AddClipsBcolor=’#78BE44′; AddClipsNcolor=’#D1E9C0′; AddClipsTcolor=’#666666′; AddClipsType=’1′; AddClipsVerticalAlign=’middle’; 前の投稿へトラックバック [...]
Koobface Virus Still Making The Rounds On Facebook | RateJamaica Says:
December 5th, 2008 at 1:59 pm
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
SFluxe » Living Well in San Francisco » Why the Koobface virus spread so fast [Facebook] Says:
December 7th, 2008 at 9:57 pm
[...] Variants of Koobface have been reported since August, when it struck MySpace. MySpace’s anything-goes website proved more vulnerable than Facebook; profile messages are littered with spam, so it was easy for Koobface to commandeer accounts and leave messages which pointed people to websites which could infect their PCs. Facebook was also affected, but the infection was quickly controlled. [...]
Facebook Security Flaw Found, Fixed Says:
December 17th, 2008 at 12:58 pm
[...] Facebook has been actively fighting Koobface worm variants through a multi-pronged response for months, a new security vulnerability was identified by the [...]
Hinutech » KoobFace Virus Spreads on Facebook Says:
January 5th, 2009 at 7:33 pm
[...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]
Why Do We Still Let Webmail Services Get Away With Deleting Our Data? Says:
January 13th, 2009 at 7:38 pm
[...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) thrived by tapping into these fears. And as more users begin storing their vital documents and photos in [...]
Thepeoplevoice » Blog Archive » Why Do We Still Let Webmail Services Get Away With Deleting Our Data? Says:
January 13th, 2009 at 8:02 pm
[...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) exploited fears of data loss. Now that more services are moving to the cloud, our most vital data (like [...]
Webメールサービスのユーザデータ削除をこれからも黙認していいのか？ Says:
January 13th, 2009 at 10:39 pm
[...] これはメールだけの問題ではない。今年の初めには、Facebookが不活のアカウントを削除しているという…事実に反する…スパムっぽいチェーンメールが、データの喪失に対する不安につけ込んで広まった。クラウドからのサービスに依存するコンピューティングが今後もますます普及するだろうから、重要なデータ（写真や文書）の命がいよいよますますWeb企業の手に握られることになる。クラウドサービスの企業が繁栄するためには、ユーザが安心してデータをゆだねることのできる企業でなければならない。単に一時的な売上増のためにユーザのデータを人質に取ったり、ひどい場合には消してしまうようなことが、あってはならない。 [...]
ArticleSave :: Uncategorized :: Why Do We Still Let Webmail Services Get Away With Deleting Our Data? Says:
January 16th, 2009 at 12:03 am
[...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) exploited fears of data loss. Now that more services are moving to the cloud, our most vital data (like [...]
Security: Stolen Facebook Accounts Being Used to Phish for Money from Friends Says:
January 21st, 2009 at 12:31 pm
[...] has been investing heavily in security in recent years – especially in its crusade against the Koobface worm – but one new approach to phishing on Facebook may be cropping [...]
Facebook’s Security Team Fighting Battles on Multiple Fronts Says:
March 3rd, 2009 at 4:52 pm
[...] in August of last year, the “Koobface” worm spread throughout Facebook, tricking users into downloading software that used their login information to post messages on [...]
Why Facebook Is Working with Microsoft to Fight Koobface Virus Says:
April 5th, 2009 at 7:01 am
[...] working with the Microsoft Malware Protection Center (MMPC) to combat the Koobface virus, which first surfaced on Facebook in the summer of 2008 and has frequently installed malicious code on users’ [...]
» Why Facebook Is Working with Microsoft to Fight Koobface Virus True HelloWorld Story Says:
April 7th, 2009 at 11:53 am
[...] working with the Microsoft Malware Protection Center (MMPC) to combat the Koobface virus, which first surfaced on Facebook in the summer of 2008 and has frequently installed malicious code on users’ [...]
Facebook Applications Says:
December 14th, 2009 at 11:54 pm
I think I just accidentally discovered that if you go into your privacy modes, and pick a friend to see how they (view) your profile, you can post on your own status updates AS that friend! I was browsing my page in the mode of another friend to see if they saw a comment, and I went to click into my own status update thread to respond to someone, but the picture by the blank field showed as HIM.