Facebook is resetting some user passwords and scrubbing the service of malicious links in an attempt to eradicate a fast-spreading worm that redirects infected machines to a little-known search site, the company and security researchers said Friday.
The "Koobface" worm, which has been circulating through the popular social-networking service since at least Wednesday, continues to be a problem, said Craig Schmugar, a threat researcher with McAfee.
"We're not seeing increases in propagation," he acknowledged today, but noted that cleanup was a tough chore for Facebook. "It's a bit of a cat and mouse game for them," he said. "There are certainly millions of links on Facebook. How do you know which are the bad ones, which are the good ones? That's not without problems."
Wednesday, Schmugar was one of the first security researchers to notice Koobface's spread and notify Facebook.
Earlier in the week, Facebook users began reporting receiving spam messages such as "You look just awesome in this new movie" or "You look so amazing funny on our new video" that tried to dupe them into clicking on a link. If they did, they were taken to one of several compromised sites, said Schmugar, that then displayed a fake error message claiming that Adobe System Inc.'s Flash was out of date, and prompted them to download an update.
The "update" was nothing of the kind, but instead was an executable file that installed the Koobface worm, which in turn installed a background proxy server that redirected all Web traffic. According to Schmugar, the proxy servers listens on TCP port 9090, particularly for search requests to the major search engines, including Google, Yahoo, and Microsoft's Live Search.
"Search terms are directed to find-www.net," Schmugar said, "[which] enables ad hijacking and click fraud." The hackers are making money by redirecting users' searches to their own results, collecting cash from the ensuing clicks.
When Computerworld entered "thomas jefferson" as a search string at find-www.net, for example, the top result was a pitch for a free antivirus scanner. That scanner was, in fact, bogus and simply the first step in a so-called "scareware" scam that relies on sufficiently spooking users with phony warnings that they pay for fake security software.
Today, Facebook said it was dealing with the worm. "We're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages, and coordinating with third parties to remove redirects to malicious content elsewhere on the Web," said spokesman Barry Schnitt in an e-mail.
