Update: Facebook Security Fighting Koobface Worm, Chain Letters

As many users are aware, Facebook has been fighting mounting security threats in recent weeks. Developers and analysts alike want to know more about what’s happening and what Facebook is doing to contain the threats, so here’s the story:

The Problems

1. A variant of the Koobface worm, originally detected by Kapersky Lab a few weeks ago, has been increasingly spreading on Facebook in recent weeks. Here’s how it works:

Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.

Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.

2. In addition, recent chain letters have started to spread across Facebook with various types of misinformation, including messages like “Facebook is going to start charging you to use the site,” “Facebook is going to start shutting down accounts that aren’t active enough,” etc.

Facebook’s Response

Facebook has responded in a number of ways:

1. Facebook is deleting content generated by the worm (Facebook says they have “again contained” it) and spammy chain letters.

2. Facebook is posting updates on the status of security issues to the Facebook Security Page and publishing best practices for users to avoid phishing attacks, like these and these.

3. Facebook is asking users to pass on the following information:

We will never use any of the following methods to tell you information, or ask for you to take an action:

  • Your Wall
  • An inbox message from a friend—in other words, chain letters.
  • Messages spread through Applications—if an application is telling you that Facebook is about to shut down, report it.

Since there’s been a lot of wrong information about Facebook spreading around, we’d like to clarify a few things for the record:

  • We are not shutting down accounts that are not “active” enough.
  • We are not going to start charging you to use Facebook.
  • We will never ask you to send us your password or login information.
  • We will never put the responsibility on YOU to send information to your friends. If we have information we need to share, it’s our job to get the word out.
  • When we do communicate to you about the site (with the exception of posts made on this blog) it will always be from a collective Facebook. You won’t hear from me, personally, or from Mark, or from Dustin, or from any of the Facebook bloggers you’ve seen here.

So the next time you see a chain letter, chain wall post, or chain anything, report it to our User Operations team, and tell all your friends to ignore it. We could make a joke here about passing this entry on to ten of your friends, but that’s not cool.

4. Facebook is blocking Wall posts that contain links to known phishing sites:

5. Facebook is improving its automated systems to automatically detect abuse on the site more quickly.

6. Facebook is pursuing many of the perpetrators (the company sued alleged Facebook account hijacker Adam Guerbuez last week).

Conclusion

What do Facebook’s recent security issues mean in the long run? Ultimately, it’s vital for everyone involved in the Facebook ecosystem that Facebook continue to invest in security detection and prevention. Everything in Facebook depends on user trust, and everyone wants  these issues to be have as little impact as possible.

Social Media 101

Mediabistro Course

Social Media 101

Get hands-on social media training for beginners in our online boot camp, Social Media 101! Starting September 4, social media and marketing experts will teach you the best practices to be successful on social. Register before July 31 to get $50 OFF with early bird pricing. Register now!

 

Leave a Reply

31 Responses to “Update: Facebook Security Fighting Koobface Worm, Chain Letters”

  1. Nick Stamoulis says:

    I’ve received 3 spam chainletter wall posts in a month – ridiculous.

  2. april says:

    So, if you HAVE clicked on one of those links, what do you do?

  3. Pip says:

    Yes, I’d like to know that too! I’ve infected my computor, Is there a fix

  4. Inside Facebook » Facebook Responds to Wall Post Spam With New Security Feature says:

    [...] further response to recent security issues Facebook has been facing from worms and chain letters, Facebook has released a new security feature [...]

  5. Caroline Chaychuk-Reynolds says:

    Help .My Facebook has been infected. It happened when Facebook changed over. I cant access my status,notifications and I cant send messages to anyone HELP!!

  6. Laine says:

    I got infected with Koobface and after trying out half a dozen antivirus programs the only one that worked was Antispyware, which I had to pay about $40 for. I then had to reconfigure my internet to not use a proxy connection.

    If you get a box on your internet that pops up saying tinyproxy1.exe has stopped working, then you’ve got the virus.

    My advice would be to not click on any links on facebook.

    Laine

  7. Dave L says:

    I got infected with Koobface and I ran a full system scan with Symantec Antivirus software, it found it and removed it – so that’s my advice.

    Dave

  8. Linda says:

    McAfee removed Koobface today FINALLY

  9. Jo says:

    I’m really confused. Please help me. I pressed the codec exe link by accident and the flash file saved onto my desktop. I didnt open it and Mcafee says im not infected. Is Mcafee correct? I updated it just today. thanks

  10. Alicia says:

    Hello,
    My work PC has been infected with the koobface worm from a fake facebook message from one of my friends.

    I ran a virus scan yesterday on my work PC and it found the virus twice and said it’s been removed and a scan came out clean today BUT my PC is still playing up. Could it be hiding somewhere?

    Also: If I log onto facebook at home will it infect my home PC also?

  11. Marguerite Core says:

    I have infected my roommate’s laptop with Koobface, yikes. Ran the AVG which said that it removed it, now the computer is just frozen on reboot. What do I do?

  12. Koobface Virus Still Making The Rounds On Facebook says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  13. Koobface Virus Still Making The Rounds On Facebook | Tech News and Information says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  14. Koobface Virus Still Making The Rounds On Facebook : VCsAndAngels - Venture Capital / VCs, Angel Investors, Startup News, Etc says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  15. Open Systems Journal » Blog Archive » Koobface Virus Still Making The Rounds On Facebook says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  16. Koobface Virus Still Making The Rounds On Facebook | My Blog Channel says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  17. 注意―SNSを狙うKoobfaceウィルス、Facebookで感染拡大中 says:

    [...] 昨日(米国時間12/4)、Facebookを狙うウィルスが増殖中だという報告が現れ始めた。このマルウェアは完全に新しいものではない。(最初に現れたのは8月)。しかしその後SNSをターゲットにするよう改変され、現在、Facebookで急激に増殖中のようだ。このウィルスは友達からのメッセージを装って侵入を図るので、感染が爆発的に拡大するおそれがある。Koobfaceのメッセージには「You look so funny on our new video〔新しいビデオにキミが写ってるよ。とってもおかしい〕」などといった表題が付けられており、動画が保存されていると称するサイトへのリンクが含まれている。ユーザーがビデオを見ようとしてリンクをクリックすると、「再生には最新のFlash Playerのダウンロードが必要です」というメッセージが出る。こうしてユーザーを騙してウィルスを含んだファイルをダウンロードさせるわけだ。このウィルスの以前のバージョンはMySpaceをターゲットにしていたが、MySpaceがセキュリティーを強化する措置を取ったためすぐに退治された。現在Facebookはセキュリティーのページでユーザーは最新のアンチウィルス・ソフトを使用すること、もし感染していた場合はパスワードを変更することなどを勧めている。Facebookは特にパスワードの変更を強く推奨しており、ユーザーへのメール中でウィルス感染のおそれがあることを注意している。Facebookの1億2000万のユーザーのうちで、果たしてどれほど感染者が出ているのか、正確なところは分っていない。こういった感染を防止するには、たとえ友達からのメールのように見えても、予期せぬ添付ファイルは開かないのがいちばんだ。さらに詳しい情報とスクリーンショットがここに。(画像はMaximumPCの好意による)CrunchBase InformationFacebookInformation provided by CrunchBase[原文へ](翻訳:Namekawa, U) ShowListings(“arc3″); ShowListings(“arc2″); AddClipsUrl = ‘http://jp.techcrunch.com/archives/20081205koobface-virus-still-making-the-rounds-on-facebook/’; AddClipsTitle = ‘注意―SNSを狙うKoobfaceウィルス、Facebookで感染拡大中’; AddClipsId = ’2CBE02C952CFE’; AddClipsBcolor=’#78BE44′; AddClipsNcolor=’#D1E9C0′; AddClipsTcolor=’#666666′; AddClipsType=’1′; AddClipsVerticalAlign=’middle’; 前の投稿へ トラックバック [...]

  18. Koobface Virus Still Making The Rounds On Facebook | RateJamaica says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  19. SFluxe » Living Well in San Francisco » Why the Koobface virus spread so fast [Facebook] says:

    [...] Variants of Koobface have been reported since August, when it struck MySpace. MySpace’s anything-goes website proved more vulnerable than Facebook; profile messages are littered with spam, so it was easy for Koobface to commandeer accounts and leave messages which pointed people to websites which could infect their PCs. Facebook was also affected, but the infection was quickly controlled. [...]

  20. Facebook Security Flaw Found, Fixed says:

    [...] Facebook has been actively fighting Koobface worm variants through a multi-pronged response for months, a new security vulnerability was identified by the [...]

  21. Hinutech » KoobFace Virus Spreads on Facebook says:

    [...] piece of worm spreading through Facebook. The malicious code isn’t exactly new (it started surfacing in August), but has now been altered to strike social networking websites only and is currently [...]

  22. Why Do We Still Let Webmail Services Get Away With Deleting Our Data? says:

    [...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) thrived by tapping into these fears. And as more users begin storing their vital documents and photos in [...]

  23. Thepeoplevoice » Blog Archive » Why Do We Still Let Webmail Services Get Away With Deleting Our Data? says:

    [...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) exploited fears of data loss. Now that more services are moving to the cloud, our most vital data (like [...]

  24. Webメールサービスのユーザデータ削除をこれからも黙認していいのか? says:

    [...] これはメールだけの問題ではない。今年の初めには、Facebookが不活のアカウントを削除しているという…事実に反する…スパムっぽいチェーンメールが、データの喪失に対する不安につけ込んで広まった。クラウドからのサービスに依存するコンピューティングが今後もますます普及するだろうから、重要なデータ(写真や文書)の命がいよいよますますWeb企業の手に握られることになる。クラウドサービスの企業が繁栄するためには、ユーザが安心してデータをゆだねることのできる企業でなければならない。単に一時的な売上増のためにユーザのデータを人質に取ったり、ひどい場合には消してしまうようなことが、あってはならない。 [...]

  25. ArticleSave :: Uncategorized :: Why Do We Still Let Webmail Services Get Away With Deleting Our Data? says:

    [...] year a spammy chainletter proclaiming that Facebook was deleting inactive accounts (it isn’t) exploited fears of data loss. Now that more services are moving to the cloud, our most vital data (like [...]

  26. Security: Stolen Facebook Accounts Being Used to Phish for Money from Friends says:

    [...] has been investing heavily in security in recent years – especially in its crusade against the Koobface worm – but one new approach to phishing on Facebook may be cropping [...]

  27. Facebook’s Security Team Fighting Battles on Multiple Fronts says:

    [...] in August of last year, the “Koobface” worm spread throughout Facebook, tricking users into downloading software that used their login information to post messages on [...]

  28. Why Facebook Is Working with Microsoft to Fight Koobface Virus says:

    [...] working with the Microsoft Malware Protection Center (MMPC) to combat the Koobface virus, which first surfaced on Facebook in the summer of 2008 and has frequently installed malicious code on users’ [...]

  29. » Why Facebook Is Working with Microsoft to Fight Koobface Virus True HelloWorld Story says:

    [...] working with the Microsoft Malware Protection Center (MMPC) to combat the Koobface virus, which first surfaced on Facebook in the summer of 2008 and has frequently installed malicious code on users’ [...]

  30. Facebook Applications says:

    I think I just accidentally discovered that if you go into your privacy modes, and pick a friend to see how they (view) your profile, you can post on your own status updates AS that friend! I was browsing my page in the mode of another friend to see if they saw a comment, and I went to click into my own status update thread to respond to someone, but the picture by the blank field showed as HIM.

  31. Facebook Applications Development says:

    its all because of spammers and Facebook hate to spam things to their platform,

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

SEO Strategist

Hanley Wood
Washington, DC

Vice President of Technology

Emerald Media Group
Eugene, OR

Social Media Specialist

California Academy of Sciences
San Francisco, CA

Mobile Application Developer

California Academy of Sciences
San Francisco, CA

Opportunities in Digital Publishing

Pew Research Center
Washington, DC

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Also from Inside Network:   AppData - Facebook & iOS Application Stats   PageData - Engagement Data on Facebook Pages   Facebook Marketing Bible   Inside Network Research
 
home | site map | advertising/sponsorships | about | careers | contact us | help courses | browse jobs | freelancers | events | forums | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us