A screen capture of the offending Web page from McAfee's virus directory

Reports circulated today about a virulent piece of malware making its way around Facebook, a major hub of the social Web with 120 million users. Because of its walled-off internal e-mail system, Facebook has long been a tough target for spammers and other fraudsters, but the "Koobface" virus is a sign that the relative viral calm on the site -- which just today announced an ambitious program to extend its services outside its own tight perimeter -- may have been a luxury.

The virus' most insidious property is that users receive the offending message from a friend: On Facebook, only people whom users have explicitly approved as friends can send them e-mails.

The Koobface e-mails have a subject like "You look so amazing funny on our new video," and contain a link to a YouTube-like video site that appears to contain a movie clip (see image). The video, however, doesn't play, and the website then asks the user to update his or her video software by downloading a file. It's that file that contains the malicious code.

"Unfortunately, users are very trusting of messages left by 'friends' on social networking sites. So the likelihood of a user clicking on a link like this is very high," said Alexander Gostev, a security analyst at Kaspersky Lab, in a several-month-old blog entry about the virus. "At the beginning of 2008 we predicted that we'd see an increase in cyber-criminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this."

A variant of the Koobface virus was reportedly circulating on MySpace earlier this year but was eliminated after new security measures were put in place.

Facebook has posted limited instructions about how to remove the virus on its security page: In essence, users should install one of several available anti-virus programs, and be sure to change their Facebook password here.

UPDATE: Here are some more detailed instructions Facebook evidently sent to users whose accounts may have been compromised:

We have detected suspicious activity on your Facebook account and have reset your password as a security precaution. It is possible that malicious software was downloaded to your computer or that your password was stolen by a phishing website designed to look like Facebook. Please carefully follow the steps provided: 1. Run Anti-Virus Software: If your computer has been infected with a virus or with malware, you will need to run anti-virus software to remove these harmful programs and keep your information secure. For Microsoft: http://www.microsoft.com/protect/viruses/xp/av.mspx

http://www.microsoft.com/protect/computer/viruses/default.mspx



Then they had a link for Mac users too but it was broken. Will update if we get a better one.

-- David Sarno