UPDATED: Koobface Facebook Worm Back With A Bang… Or Not

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

McAfee gets its figures totally wrong on Koobface and apologises

UPDATE: McAfee has admitted a major error in its calculations – noting on 7 June they got it completely wrong. In fact, Koobface samples have declined since Facebook’s actions, the company said. You can find its apology in full here.

Original story: A worm targeting Facebook users known as Koobface has seen its sample size triple in the last quarter, even though the social network and its partners thought they had seriously damaged the criminal operation last year.

There were over 115,000 samples detected by McAfee in the last quarter, compared to just under 40,00 in the previous quarter. It’s also over double the previous record number of samples recorded.

In early 2012, Facebook published the names of five men it believed were behind Koobface, which first appeared in July 2008, was estimated to have as many as 800,000 PCs under its control and made its owners millions of dollars.

facebook-logo-whiteKoobface clan

The social networking giant later awarded the University of Alabama at Birmingham’s Information Assurance and Joint Forensics Research (CIA|JFR) $250,000 for its help on stopping the Koobface worm doing more significant damage.

But despite the best efforts of the tech community, the has been a resurgence of interest in the malware, according to McAfee’s report.

“The resurrection of Koobface reminds us that social networks continue to present a substantial opportunity for intercepting personal information,” said Vincent Weafer, senior vice president of McAfee Labs.

Toralv Dirro, McAfee Labs EMEA security strategist, told TechWeekEurope: “We were surprised to see Koobface come back after the original ring behind the worm was exposed last year. We’re not sure whether it’s the same worm being run by different people, or if it’s simply a very similar threat, but Facebook’s security team is being active in trying to combat any kind of malicious activity on the network.”

Koobface’s comeback has highlighted another trend: old malware returning to cause trouble.

Trend Micro said last month it had seen a spike in the number of Zeus banking Trojans doing the rounds, with a sudden surge in activity in February, which has continued unabated.

The Pushdo malware has caught the attention of researchers too, which has come back in new strains containing clever code to mask the crooks’ command and control servers, querying legitimate websites as well as the attackers’ domains to make its C&C traffic blend in with regular traffic.

Overall McAfee said there had been a steady growth in mobile malware, with 50,926 samples, up from 38,000, and a “rapid increase in general malware” in the first quarter of 2013.

Worldwide spam doubled during the quarter too, “as it makes a comeback after more than a year of decline”, McAfee’s report read.

The Intel-owned security firm counted 1.9 trillion messages in March, lower than record levels but about twice the volume of December 2012.

What do you know about Internet security? Find out with our quiz!