'Koobface' virus spreading fast on Facebook
Reports circulated today about a virulent piece of malware making its way around Facebook, a major hub of the social Web with 120 million users. Because of its walled-off internal e-mail system, Facebook has long been a tough target for spammers and other fraudsters, but the "Koobface" virus is a sign that the relative viral calm on the site -- which just today announced an ambitious program to extend its services outside its own tight perimeter -- may have been a luxury.
The virus' most insidious property is that users receive the offending message from a friend: On Facebook, only people whom users have explicitly approved as friends can send them e-mails.
The Koobface e-mails have a subject like "You look so amazing funny on our new video," and contain a link to a YouTube-like video site that appears to contain a movie clip (see image). The video, however, doesn't play, and the website then asks the user to update his or her video software by downloading a file. It's that file that contains the malicious code.
"Unfortunately, users are very trusting of messages left by 'friends' on social networking sites. So the likelihood of a user clicking on a link like this is very high," said Alexander Gostev, a security analyst at Kaspersky Lab, in a several-month-old blog entry about the virus. "At the beginning of 2008 we predicted that we'd see an increase in cyber-criminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this."
A variant of the Koobface virus was reportedly circulating on MySpace earlier this year but was eliminated after new security measures were put in place.
Facebook has posted limited instructions about how to remove the virus on its security page: In essence, users should install one of several available anti-virus programs, and be sure to change their Facebook password here.
UPDATE: Here are some more detailed instructions Facebook evidently sent to users whose accounts may have been compromised:
We have detected suspicious activity on your Facebook account and have reset your password as a security precaution. It is possible that malicious software was downloaded to your computer or that your password was stolen by a phishing website designed to look like Facebook. Please carefully follow the steps provided:
1. Run Anti-Virus Software: If your computer has been infected with a virus or with malware, you will need to run anti-virus software to remove these harmful programs and keep your information secure. For Microsoft:
http://www.microsoft.com/protect/viruses/xp/av.mspx
http://www.microsoft.com/protect/computer/viruses/default.mspx
Then they had a link for Mac users too but it was broken. Will update if we get a better one.
-- David Sarno
RSS: Subscribe to this Blog
yeah, i got this thing twice in the past three days. One was a message from a friend saying I should be ashamed of the way I was dancing in the attached video. the other said something about how goofy my ass looked in the attached video.
Posted by: pete | December 04, 2008 at 09:43 PM
Hm. Is THAT why I kept getting a google (?) alert when i went to certain pages or approved certain "App" stuff.. and the alert said to beware of a phishing attempt? Link to "learn more" went to a Google hosted page.
Posted by: Susan Kitchens | December 04, 2008 at 10:10 PM
if anyone wants to give advice as to how to remove this virus, it would be appreciated
Posted by: Linda | December 04, 2008 at 10:11 PM
Here's the DIY fix for the virus: http://tinyurl.com/5wjrnd . I just did and it works A-OK (although you may have to go in and shut down the processes a few more times than they tell you to).
Posted by: tor | December 04, 2008 at 11:16 PM
Similar thing occured in my Friendster account. Good thing I deleted that message when I was hesitant to. Careful, careful!
Posted by: Alex R | December 05, 2008 at 05:17 PM
does this effect linux user whom channel through string ?
Posted by: shanne | December 05, 2008 at 06:57 PM
Hey, is this virus also spreading at friendster?
Posted by: Camilla | December 21, 2008 at 05:45 PM
One correction---the virus is still active at MySpace. I clicked on a link that was supposed to download an improved application for uploading videos and that was all it took. My video didn't upload and my computer was under serious attack. Don't trust ANY of these apps even if (as in my case) it identifies itself as being FROM MySpace.
Posted by: Cassandra Morrison | December 22, 2008 at 07:27 PM
It is spreading in Friendster too.
Posted by: AJfebuary9 | December 22, 2008 at 11:46 PM
I got this virus and think I mayhave cleaned it off.
I used the following programs...
Norton, Kapersky, Panda, AVG, Hijack this and spybot. THe microsoft anti malware program is garbage as well as windows defender. THey both said it was clean when in reality it was HORRIBLY infected. It took control of my pc and kept routing me to all kinds of website. You will need to spend at least 5-6 hours on this thing!!
Posted by: Bart | May 18, 2009 at 11:57 AM