Update: Facebook Security Fighting Koobface Worm, Chain Letters
August 26th, 2008
As many users are aware, Facebook has been fighting mounting security threats in recent weeks. Developers and analysts alike want to know more about what’s happening and what Facebook is doing to contain the threats, so here’s the story:
The Problems
1. A variant of the Koobface worm, originally detected by Kapersky Lab a few weeks ago, has been increasingly spreading on Facebook in recent weeks. Here’s how it works:
Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.
Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.
2. In addition, recent chain letters have started to spread across Facebook with various types of misinformation, including messages like “Facebook is going to start charging you to use the site,” “Facebook is going to start shutting down accounts that aren’t active enough,” etc.
Facebook’s Response
Facebook has responded in a number of ways:
1. Facebook is deleting content generated by the worm (Facebook says they have “again contained” it) and spammy chain letters.
2. Facebook is posting updates on the status of security issues to the Facebook Security Page and publishing best practices for users to avoid phishing attacks, like these and these.
3. Facebook is asking users to pass on the following information:
We will never use any of the following methods to tell you information, or ask for you to take an action:
- Your Wall
- An inbox message from a friend—in other words, chain letters.
- Messages spread through Applications—if an application is telling you that Facebook is about to shut down, report it.
Since there’s been a lot of wrong information about Facebook spreading around, we’d like to clarify a few things for the record:
- We are not shutting down accounts that are not “active” enough.
- We are not going to start charging you to use Facebook.
- We will never ask you to send us your password or login information.
- We will never put the responsibility on YOU to send information to your friends. If we have information we need to share, it’s our job to get the word out.
- When we do communicate to you about the site (with the exception of posts made on this blog) it will always be from a collective Facebook. You won’t hear from me, personally, or from Mark, or from Dustin, or from any of the Facebook bloggers you’ve seen here.
So the next time you see a chain letter, chain wall post, or chain anything, report it to our User Operations team, and tell all your friends to ignore it. We could make a joke here about passing this entry on to ten of your friends, but that’s not cool.
4. Facebook is blocking Wall posts that contain links to known phishing sites:

5. Facebook is improving its automated systems to automatically detect abuse on the site more quickly.
6. Facebook is pursuing many of the perpetrators (the company sued alleged Facebook account hijacker Adam Guerbuez last week).
Conclusion
What do Facebook’s recent security issues mean in the long run? Ultimately, it’s vital for everyone involved in the Facebook ecosystem that Facebook continue to invest in security detection and prevention. Everything in Facebook depends on user trust, and everyone wants these issues to be have as little impact as possible.
|
|







August 27th, 2008 at 6:49 pm
I’ve received 3 spam chainletter wall posts in a month - ridiculous.
August 30th, 2008 at 1:24 pm
So, if you HAVE clicked on one of those links, what do you do?
September 4th, 2008 at 2:13 am
Yes, I’d like to know that too! I’ve infected my computor, Is there a fix
September 12th, 2008 at 12:08 am
[...] further response to recent security issues Facebook has been facing from worms and chain letters, Facebook has released a new security feature [...]
September 15th, 2008 at 4:42 am
Help .My Facebook has been infected. It happened when Facebook changed over. I cant access my status,notifications and I cant send messages to anyone HELP!!
September 17th, 2008 at 5:39 am
I got infected with Koobface and after trying out half a dozen antivirus programs the only one that worked was Antispyware, which I had to pay about $40 for. I then had to reconfigure my internet to not use a proxy connection.
If you get a box on your internet that pops up saying tinyproxy1.exe has stopped working, then you’ve got the virus.
My advice would be to not click on any links on facebook.
Laine
September 25th, 2008 at 1:38 am
I got infected with Koobface and I ran a full system scan with Symantec Antivirus software, it found it and removed it - so that’s my advice.
Dave
September 30th, 2008 at 3:52 pm
McAfee removed Koobface today FINALLY
October 12th, 2008 at 1:28 pm
I’m really confused. Please help me. I pressed the codec exe link by accident and the flash file saved onto my desktop. I didnt open it and Mcafee says im not infected. Is Mcafee correct? I updated it just today. thanks
October 15th, 2008 at 5:18 pm
Hello,
My work PC has been infected with the koobface worm from a fake facebook message from one of my friends.
I ran a virus scan yesterday on my work PC and it found the virus twice and said it’s been removed and a scan came out clean today BUT my PC is still playing up. Could it be hiding somewhere?
Also: If I log onto facebook at home will it infect my home PC also?