Application security, Incident Response, Network Security, TDR, Vulnerability Management

Microsoft and Facebook battle Koobface together

With Microsoft's assistance, Facebook has made great strides in fighting Koobface, a worm that has been wreaking havoc on social networking sites since last May.

Earlier this month, Microsoft updated its free Malicious Software Removal Tool (MSRT), after discussions with Facebook's security team, to detect and remove the Koobface family of malware. (Windows users should receive the updated MSRT through automatic updates.)

“Since releasing our newest version of MSRT two weeks ago, we've removed Koobface nearly 200,000 times from over 133,677 computers in more than 140 different locales around the world,” Jeff Williams, a principal group program manager at the Microsoft Malware Protection Center (MMPC), wrote in a Facebook blog posted Thursday.

Koobface propagates on social networking sites, such as Facebook and MySpace, through socially engineered messages sent to those on an infected user's “friend” list. The messages look like they are coming from a user's friend and employ subject lines such as, "Check out this video" or "LOL." By clicking on the links contained in messages, users can become infected with the worm or have their account credentials stolen, Williams said.

More than 20,000 Koobface variants have been identified, and the worm has been dubbed “highly polymorphic” because it is constantly changing to avoid detection.

Facebook has been dissecting the numerous variants of Koobface for months, using the information to tune its automated systems to quickly detect compromised accounts and delete malicious content, Facebook spokesman Barry Schnitt told Monday in an email. Once the company detects a spam message, it is able to delete those messages from all inboxes across the site.

“These efforts have slowed the worm down to a crawl on Facebook,” Schnitt said.  “However, we don't have control over the individual user's machines.”

That is where Microsoft's efforts come in, he said.

“By all accounts, our continuing security measures on Facebook combined with Microsoft's measures at the operating system level have been very effective,” Schnitt said.

The Koobface family is not just limited to the Koobface worm. It also is made up of a number of components that can be used to used to distribute other malware, generate pay-per-click advertising revenue, steal sensitive data, and break CAPTCHAS, Microsoft's Scott Molenkamp wrote in a recent MMPC blog post.

Koobface was  the sixth most common threat removed by MSRT this month, Williams said. The majority of machines infected by Koobface are in the in the United States (40 percent) and the UK (13.6 percent). Williams said the malware has predominantly affected English-speaking countries because of the socially engineered messages used to spread Koobface.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.