Tag Archives: Koobface

My Koobface / Facebook Roadblock experience

I figured I’d write up my experience with the Facebook Roadblock, as it might come in useful for other people who get locked out.

Last night I noticed Adium started spinning away on my dock, unable to connect to one of its configured networks, which turned out to be Facebook. A few minutes later I closed whatever browser tab I had open, and noticed that Facebook tab I had open behind it was showing the “Please login to continue” dialog over my previous session. Clicking the login button took me to something I’d not seen before, the Facebook Roadblock:

The Facebook Roadblock
The Facebook Roadblock

A few minutes of checking the SSL certs, retyping bookmarks, checking for DNS spoofing, and even trying from my iPhone over the 3G data network (which still didn’t work, it instantly logged me out once it loaded and didn’t let me back in), I received an email claiming to be from Facebook. And the headers seemed valid too:

Return-Path: <notification+z4o6=[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
  server01.filesanctuary.net
X-Spam-Level:
X-Spam-Status: No, score=-99.0 required=5.0 tests=AWL,BAYES_50,
  DNS_FROM_OPENWHOIS,RCVD_IN_DNSWL_LOW,SPF_PASS,USER_IN_WHITELIST autolearn=no
  version=3.2.4
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from mx-out.facebook.com (outmail013.snc4.facebook.com [66.220.144.145])
  by server01.filesanctuary.net (Postfix) with ESMTP id CF77B315237
  for <[email protected]>; Thu, 28 Oct 2010 19:04:33 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=201006181024; c=relaxed/relaxed;
  q=dns/txt; i=@facebookmail.com; t=1288289073;
  h=From:Subject:Date:To:MIME-Version:Content-Type;
  bh=qEIXppA9YVJnzP16lPu8knjBLI4=;
  b=R8irJgwrt6XVn16hAvSUFeIlM++vWMcDyAYhNXrhKnQ6ItFMnyMlWp5Mpop9/8qW
  RBXeIrBlbl9R+MhQ7tTzmYKGcHpDpA4sMc27xKmYwDphIdANX0rgfCfxLzsRwYvJ
  wu+CZxtaBphfkFdMo0RZabSpGN4v5Q0WCW12jqDxKBM=;
Received: from [10.30.185.191] ([10.30.185.191:35133])
  by mta018.snc4.facebook.com (envelope-from <notification+z4o6=[email protected]>)
  (ecelerity 2.2.2.45 r(34222M)) with ECSTREAM
  id F6/5B-27367-13BB9CC4; Thu, 28 Oct 2010 11:04:33 -0700
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
  by localhost.localdomain with local (ZuckMail);
Date: Thu, 28 Oct 2010 11:04:33 -0700
To: "Aaron B. Russell" <[email protected]>
From: Facebook <notification+z4o6=[email protected]>
Reply-to: Facebook <notification+z4o6=[email protected]>
Subject: Security Warning From Facebook
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: roadblock; mailid=333b85fG1e289220G6f8ad57G7b
Errors-To: notification+z4o6=[email protected]
X-FACEBOOK-PRIORITY: 0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Dear Aaron B. Russell,

We have detected that your Facebook account is infected with a form of
malware, or virus, called Koobface. You downloaded the virus after
receiving a message from a friend, which invited you to view a video.

To restore your account, please log in to Facebook and follow the
instructions you see there. You can also learn more in our Help Centre at:

http://www.facebook.com/help/?topic=koobface

Thanks,
Facebook Security Team

Hmm. So I really was locked out. But was I really infected? As I use a Mac, I wondered if I’d been hit by the (supposedly harmless) OSX/Koobface.A virus (Intego Security Memo). But if that was the case, why didn’t VirusBarrier X6 tell me about it? And why didn’t I get the Java applet warning? My mind wandered back a couple of days and I remembered I’d logged in on my Windows 7-based HTPC recently too, so there was a slim chance that I got infected that way.

So off I went to set some scans running. Kaspersky Internet Security finished on the HTPC first due to it’s relatively small HD, but that was clean, which only left my MacBook Pro as a potential candidate for infection. After discovering just how long it takes to scan a 500gb hard disk (more than 8 hours)… VirusBarrier told me that it didn’t find anything on my laptop either.

VirusBarrier says "no virus detected"
VirusBarrier says "no virus detected"

Both Kaspersky Internet Security and VirusBarrier X6 claim to be able to deal with various versions Koobface worm/trojan hybrid, but neither of them picked anything up despite having the latest virus definition updates, so my systems seem to be clean. Having checked my systems meant that I was now “allowed” through the Roadblock (Facebook requires you to certify that you’ve checked your system — that said, it’s only a checkbox to tick and you could easily lie, but if you receive genuine reports that your computer appears to be compromised, it’s better not to chance it), and I went through this sequence of steps…

Facebook give you a few options to prove your identity
Facebook give you a few options to prove your identity
I opted for SMS message verification
I opted for SMS message verification
Facebook then try to educate you about what happened...
Facebook then try to educate you about what happened...
... which is a really good idea (despite showing me Windows screenshots when I'm on a Mac)
... which is a really good idea (though they should detect I'm on a Mac)
... and then they forced me to reset my password (also good!)
... and then they forced me to reset my password (also good!)

And then after a confirmation screen, my account was restored.

So… what the hell happened? Well, from what I can tell my machines are not infected, so either my account was compromised, or it was a false alarm (possibly due to Adium’s frequent reconnects to Facebook Chat, because it drops the connection often). Either way, I think Facebook handled this very well from a security point of view. They also offered me a (Windows-only) 6 month free subscription to McAfee VirusScan Plus on the final confirmation screen, but I skipped that as I’m on a Mac and already use Intego VirusBarrier X6, but it’s good to be offering protection to people who might not be protected.

I’m interested to hear if anyone else has gone through this (especially Mac users), so if you have a similar story to share, please drop me a comment.