The men involved in this enterprise have been the subject of much investigation by Facebook’s security team, as well as by independent researcher Jan Droemer. But, it’s not like they are taking pains to hide. They post photos of their vacation trips to Monte Carlo, Spain and casinos in Germany. They check in on FourSquare.

“We’ve had a picture of one of the guys in a scuba mask on our wall since 2008,” said Ryan McGeehan, manager of investigations and incident response at Facebook.

The five men in this “gang” are:

* Anton Korotchenko AKA “KrotReal”
* Stanislav Avdeyko AKA “leDed”
* Svyatoslav E. Polichuck AKA “PsViat” and “PsycoMan”
* Roman P. Koturbach AKA “PoMuc”
* Alexander Koltysehv AKA “Floppy.”

Yes, they are Russian. And they operate openly in central St. Petersburg. Which explains why the FBI have not nabbed them. In the absence of cooperation with the police in Russia, Facebook decided to out these guys publicly.

“People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” Joe Sullivan, chief security officer at Facebook said. “People are fighting back.”

How Koobface works, and how you can protect yourself from it, was the topic of an excellent write-up on Sophos.

Reportedly the fourth rogue app to hit Facebook in a week, the new variant of the Koobface worm that once before terrorized the network poses as a social network friend, profile photo and all, and sends a message with a link to a video. The message claims the recipient is in the video.

The link leads to a spoofed YouTube page, complete with video responses and comments listed beneath an unplayable video. A message on the video screen prompts the user to download the latest Adobe Flash Player, which is actually an installation of setup.exe, which is actually WORM_KOOBFACE.AZ, hosted at over 300 IP addresses, all of them hosting the file as HTML_KOOBFACE.BA.

Security researcher Rik Ferguson at Trend Micro discovered and revealed the new variant, which targets not only Facebook, but Hi5, Friendster, MyYearBook, MySpace, Bebo, Tagged, Netlog, Fubar, and LiveJournal.

“The worm connects to a respective site using login credentials stored in the gathered cookies. It then searches for an infected user’s friends, who are then sent messages containing a link where a copy of the worm is downloaded. It also sends and receives information from an infected machine by connecting to several servers. This allows hackers to execute commands on the affected machine.”

The sophistication and social engineering of the worm is pretty disturbing. Consider the line of trust barriers it breaks by impersonating trusted sources: a social networker’s personal network on trusted social network, YouTube, and Adobe. In recent weeks we’ve also seen similar attacks on, involving, or spoofing users of URL shorteners, Twitter, Digg.com, and many Google services, including Gmail, Gtalk, Google Trends, and Google search results themselves.

Good antivirus programs should help detect and prevent installs, but also be wary of spoofed sites and fishy download prompts in the first place. If prompted to download Adobe Flash (and you don’t already have it), for example, go to Adobe’s website directly by manually keying it in and download from the official site.
 
 

What to Look For

Like most viruses, this one relies on deceit, and tries to get users to download it using a non-existent video as bait. David Sarno at the LA Times explains:

The virus’ most insidious property is that users receive the offending message from a friend: On Facebook, only people whom users have explicitly approved as friends can send them e-mails.

The Koobface e-mails have a subject like "You look so amazing funny on our new video," and contain a link to a YouTube-like video site that appears to contain a movie clip (see image).  The video, however, doesn’t play, and the website then asks the user to update his or her video software by downloading a file. It’s that file that contains the malicious code.

McAfee provides more information about Koobface and shows a screenshot of a possible page that users could land on to get to it:

What it Does

"As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets," said security firm Kaspersky Lab when it reported on two variants of Koobface back in July. One variant targeted Facebook, while the other targeted MySpace.

Facebook’s security page says, "We’re currently helping our users with the recently discovered "Koobface" worm and phishing sites. If your account has recently been used to send spam, please visit one of the online antivirus scanners from the Helpful Links list, and reset your password here." The links list is as follows:

The worm must be affecting a lot of people now to make its way though the news so much all of a sudden. It’s been around for months, yet we haven’t heard much about it until now. Facebook users who have accounts that have been in jeopardy have been receiving emails about how to proceed.