Microsoft is working with Facebook to keep the persistent Koobface virus off the popular social-networking site, the companies said on Thursday.
"In working with Facebook, we were able to add detection of Koobface to our Malicious Software Removal Tool (MSRT), which checks computers running Windows software to detect and remove viruses," Jeff Williams, a principal group program manager for the MRST, wrote in a guest post on the Facebook Blog.
The MSRT has removed Koobface nearly 200,000 times from more than 133,600 computers around the world just in the past two weeks, he wrote.
Koobface is a mass-mailing virus that arrives in Facebook users' in-boxes announcing a message like "You look funny in this new video." Clicking on the link takes recipients to a Web site where they are prompted to download a Trojan masked as an Adobe Flash update. The Trojan could allow an attacker to remotely steal a victim's Facebook password and other information or even use the computer to launch attacks on other computers.
Koobface has been around since August mostly targeting social networks, and a variant that targets only Facebook users surfaced in December. Facebook has been hit by at least one other version since then.
Details on how to protect against Koobface are on Facebook's security page.
Like flies to cow dung, rogue apps are swarming to Facebook.
The popular social-networking site has been hit by what's believed to be the fourth rogue app in a week or so and is investigating the spread of a new variant of the Koobface worm, according to security firm Trend Micro.
The Koobface worm spreads via a message from a Facebook friend that includes a link to what looks like a video, Rik Ferguson wrote on the Trend Micro blog.
This screenshot shows the fake YouTube Web site that the link leads to in the new variant of Koobface.
(Credit: Trend Micro)The landing page displays the name and photo of the friend. Clicking the "install" button redirects to a download site for the file "setup.exe," which is the new variant of Koobface dubbed Worm_Koobface.az.
"Previous versions didn't have all these complexities and automation built in," Jamz Yaneza, a senior threat analyst and researcher at Trend Micro, said in an interview. "This new variant has a back end doing all the modifications."
Once the worm infects a computer it sends cookie information to a remote server, of which there are as many as 300 in the operation, he said. "Now you can use a third-party connection via the Facebook API," he said. The cookie information can include unencrypted log-in information, enabling attackers to masquerade as a legitimate Facebook user, Yaneza added.
The worm connects to a site using log-in credentials stored in the gathered cookies and sends messages to the friends of an infected user. It also sends and receives information from an infected machine by connecting to remote servers and allows attackers to execute commands on infected machines.
The worm is targeting users of other social-networking sites, including MySpace, Bebo, Friendster, hi5, MyYearbook, Tagged.com, Netlog, Fubar, and LiveJournal.com, Trend Micro said. An earlier version of Koobface hit Facebook .
Facebook spokesman Barry Schnitt said the company is investigating the new variant of Koobface.
Meanwhile, another rogue application is spreading that displays a message that says "Closing Down! You reported them for violating their terms and policies," Trend Micro said. Once the application is installed it spams itself to a victim's friends.
The news comes after word of Facebook swatting down a similar rogue app late last week and another one a few days before that.
"It seems that Facebook as an attack platform may be coming of age," Ferguson wrote in an e-mail.
Facebook implemented an app verification policy late last year after getting criticized for not vetting its apps enough. But the security and privacy "seal of approval" policy is voluntary.
Yaneza said it should be compulsory for all Facebook apps, like Apple vets all the iPhone apps.
Facebook's Schnitt said the company is looking into the app and would disable it if it turns out to be deceptive or malicious.
"It is important to note that we've built security into Facebook Platform by preventing any app, including the rare malicious app, from accessing sensitive information like contact info," he said in an e-mail.
"Only a small percentage of Facebook users have been affected by security issues, including Koobface," Schnitt said. "We're updating our security systems to minimize further impact, including resetting passwords on infected accounts and identifying and deleting malicious content sent by the virus. We've posted a note about this on our security page to educate users.
In a separate e-mail, Schnitt added: "Worms like koobface update relatively frequently. Koobface is on its 28th version of the binary since it first started attacking social networking sites last summer. The difference is essentially in the webpages hosting it - the landing page where users are tricked into downloading a fake update that installs the virus. Users should be very suspicious of strange messages from friends and should always confirm a software update is necessary through the vendor's website (Adobe.com, etc...) before downloading it from a third party."
This message could lead you to the Koobface virus, say security experts.
(Credit: McAfee Avert Labs)A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social engineering attack may be used again, say experts.
Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.
Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites.
After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe.
A new mass-mailing virus targeting Facebook users directs victims to a site asking to download a Trojan masked as an Adobe Flash update.
(Credit: McAfee Avert Labs)Schmugar said the prompt for a new player should be a warning. "The messages you tend to get from these sites don't look quite right." For instance, IE will tell you where the update is coming from, and usually it's not an Adobe site.
If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN, or Live.com may be hijacked to other, lesser-known search sites.
Schmugar said this version of Koobface includes a bot-like component that could install other malicious apps at a later time.
Facebook's Schnitt said, "Only a very small percentage of Facebook users have been affected and we're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages, and coordinating with third parties to remove redirects to malicious content elsewhere on the Web."
Facebook has posted instructions on how to remove the infection.
McAfee's Schmugar said this attack is similar to e-mail attacks 10 years ago in that Koobface is using infected friends lists, reminiscent of early mass-mailing worms. As was the recommendation then, he advises users not to open any unexpected e-mail attachments, even if they are from someone you know.
- prev
- 1
- next
