Why Facebook Is Working with Microsoft to Fight Koobface Virus

In its efforts to prevent the spread of malware, Facebook’s security team has begun working with the Microsoft Malware Protection Center (MMPC) to combat the Koobface virus, which first surfaced on Facebook in the summer of 2008 and has frequently installed malicious code on users’ machines.

Koobface is a worm that crawls the social network by sending Facebook messages to people from the accounts of infected users. The messages contain common subject lines, such as “check out this video.” Inside these messages, users will be asked to click on a link. If users click on that URL, their Facebook user name and password can be stolen, and they unknowingly enable their account to send out the same fraudulent messages to their friends. In many cases, malware will also be installed on their computers.

Here’s a look at how (and why) Facebook decided to reach out to Microsoft in contending with the security challenges posed by Koobface.

1. Dealing with the problem at its root: Facebook user machines

So far, Facebook has done a thorough job at dealing with Koobface, both preventively and reactively. As we highlighted, Facebook’s security team has implemented several security measures to stifle the spread of the virus. Those measures include the following:

  1. Facebook deletes content generated by the worm.
  2. Facebook blocks Wall posts that contain links to known phishing sites.
  3. Facebook uses automated systems to detect abuse on the site more quickly.
  4. Facebook posts updates on the status of security issues to the Facebook Security Page.

But according to Ryan McGeehan, a threat analyst at Facebook, those measures fail to address one inescapable fact: Once Facebook users fall victim to Koobface, the virus usually infects their machines and operating systems, where, if left untreated, it can launch more attacks when those users connect to the Internet (and Facebook specifically). As millions of Facebook users have the Windows Operating System, McGeehan said it made sense to reach out to Microsoft.

“Windows is out of our jurisdiction, so it made sense to talk with Microsoft,” McGeehan told Inside Facebook. “There’s a direct correlation of infected machines and the resulting [Koobface] spam.”

2. Getting results

After Facebook worked with Jeff Williams, a principal group program manager for MMPC,  Microsoft added  security patches to its Windows Updates to fix the machines of Facebook users that had been infected by the Koobface virus.

As Williams wrote in a guest blog post on Facebook on Thursday, “Since releasing our newest version of MSRT two weeks ago, we’ve removed Koobface nearly 200,000 times from over 133,677 computers in more than 140 different locales around the world.”

By fixing the operating system on those machines, McGeehan and his team hope that the overall spread of Koobface on Facebook can be curtailed more effectively. In the meantime, he says both companies will remain vigilant, as Koobface has a way of resurfacing in different forms. In his post, Williams noted that the virus is “highly polymorphic, with over 20,000 variations to date.”


Facebook realizes that it can only do so much to stop viruses like Koobface that derive a lot of their strength from festering on user machines. Facebook’s security team will continue to work with other technology and security vendors to align their efforts in fighting the spread of viruses and malware on the Web. Facebook’s work with MMPC (and the strong results) serves as an excellent example of how such conversations benefit not only the Facebook ecosystem, but Web users in general.

“Everyone on the Internet has problems with these kinds of malware,” McGeehan says. “It’s my job to connect with the other people in the industry, so we can help them and they can help us deal with it as effectively as possible.”