Update: Facebook Security Fighting Koobface Worm, Chain Letters

As many users are aware, Facebook has been fighting mounting security threats in recent weeks. Developers and analysts alike want to know more about what’s happening and what Facebook is doing to contain the threats, so here’s the story:

The Problems

1. A variant of the Koobface worm, originally detected by Kapersky Lab a few weeks ago, has been increasingly spreading on Facebook in recent weeks. Here’s how it works:

Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.

Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.

2. In addition, recent chain letters have started to spread across Facebook with various types of misinformation, including messages like “Facebook is going to start charging you to use the site,” “Facebook is going to start shutting down accounts that aren’t active enough,” etc.

Facebook’s Response

Facebook has responded in a number of ways:

1. Facebook is deleting content generated by the worm (Facebook says they have “again contained” it) and spammy chain letters.

2. Facebook is posting updates on the status of security issues to the Facebook Security Page and publishing best practices for users to avoid phishing attacks, like these and these.

3. Facebook is asking users to pass on the following information:

We will never use any of the following methods to tell you information, or ask for you to take an action:

  • Your Wall
  • An inbox message from a friend—in other words, chain letters.
  • Messages spread through Applications—if an application is telling you that Facebook is about to shut down, report it.

Since there’s been a lot of wrong information about Facebook spreading around, we’d like to clarify a few things for the record:

  • We are not shutting down accounts that are not “active” enough.
  • We are not going to start charging you to use Facebook.
  • We will never ask you to send us your password or login information.
  • We will never put the responsibility on YOU to send information to your friends. If we have information we need to share, it’s our job to get the word out.
  • When we do communicate to you about the site (with the exception of posts made on this blog) it will always be from a collective Facebook. You won’t hear from me, personally, or from Mark, or from Dustin, or from any of the Facebook bloggers you’ve seen here.

So the next time you see a chain letter, chain wall post, or chain anything, report it to our User Operations team, and tell all your friends to ignore it. We could make a joke here about passing this entry on to ten of your friends, but that’s not cool.

4. Facebook is blocking Wall posts that contain links to known phishing sites:

5. Facebook is improving its automated systems to automatically detect abuse on the site more quickly.

6. Facebook is pursuing many of the perpetrators (the company sued alleged Facebook account hijacker Adam Guerbuez last week).


What do Facebook’s recent security issues mean in the long run? Ultimately, it’s vital for everyone involved in the Facebook ecosystem that Facebook continue to invest in security detection and prevention. Everything in Facebook depends on user trust, and everyone wants  these issues to be have as little impact as possible.