Koobface Worm Attacks Facebook and MySpace Users

The Koobface worm has been circulating since August but in recent weeks variants, known as Worm.KoobFace.A and Worm.KoobFace.B, have increasingly spread via spam messages on social networking websites MySpace and Facebook.

Koobface worm creates deceptive spam messages and sends them to an infected users' list of friends through Facebook's messaging system. Koobface is able to send spam messages to a user's Facebook friends by downloading a file called tinyproxy.exe which installs a program called "Security Accounts Manager." The program tracks the cookies on a user's computer, detects the user's friends list, and sends them spam messages. Messages from the Koobface worm include the following subject headers: "You must see it!!! LOL," "Look you were filmed all naked!," "You look just awesome in this movie," or "Paris Hilton Tosses Dwarf On The Street." Koobface exploits social networks like Facebook because it knows that users will most likely not question a message that appears to come from one of their friends on Facebook.

If a Facebook user clicks on the link provided by the spam message, he/she is sent to a video website meant to mimic YouTube which will pop-up a message that tells the user that their Flash Player is outdated and to download the latest version to view a video. The download file is really the Koobface worm disguised as an executable file called flash_player.exe.

Koobface, with the help of the "Security Accounts Manager," monitors TCP port 9090 and proxies HTTP traffic from an infected computer to hijack search results from search engines like Google, MSN, and Yahoo.

Facebook spokesperson Barry Schnitt said, "Only a very small percentage of Facebook users have been affected and we're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages, and coordinating with third parties to remove redirects to malicious content elsewhere on the Web." Facebook has posted security steps to deal with the Koobface issue and other threats on its Security page.

To reduce the risk of infection, it is advisable to use caution when opening messages in Facebook. Facebook users should not open unexpected e-mail attachments or download files from suspicious or untrustworthy sources.