Facebook has been around for years and it has constantly been gaining in popularity.  Part of the reason for this social network site’s success is that it represents a gold mine of information for employers, marketers, journalists, and, of course, cyber criminals.  There are plenty of examples of phishing attacks and other scams on this site.

One of the main threats that have been circulating on Facebook is called Koobface. The close observer will notice that this threat's name is very similar to one of the sites it targets.  Although this malware was first seen in August 2008, it continues to be very active and now attacks more users than ever before.  We are seeing the highest detection rate in North America and in Scandinavian countries, two places where Facebook is the most popular.  This seems normal since this threat usually spreads through messages on social networking sites.

On a technical level, Koobface has two interesting features.  First of all, it is not persistent.  This means that if this malware gets executed on a system, it will perform its attack, steal information, report it to a command and control server, and then delete itself.  The computer will be clean after a reboot.  The second interesting feature of this threat is its string obfuscation mechanism.  The obfuscation in itself is very simple; the author is using the “sprintf” function to concatenate small pieces of strings together before using them.  In short, it means that Koobface authors have decided to change the body of their malware instead of the packing layers like most other families to try to evade detection by security solutions.

Our recommendations to Facebook users are to be very cautious when clicking on any link or downloading a file.  Even if some content has been posted by a friend, it should be considered as untrusted.  One continuously updated source of information about Facebook is Facebook themselves, at http://www.facebook.com/security.

Pierre-Marc Bureau
Senior Researcher