A friend on Facebook suggests that you watch an amazing or funny or sexy video. The link may seem innocuous enough. But with a few simple clicks, you could end up infecting your PC with the Koobface worm.
Koobface, whose name is an anagram for its preferred social network, is a malicious program that has plagued Facebook for more than two years, ensnaring hundreds of thousands of people and keeping the site's security team on the defense.
The worm was Facebook's first major security challenge and remains the most persistent threat on the site. As such, Koobface has played a big role in shaping Facebook's approach to combating malicious software, or malware, and propelled the development of increasingly elaborate defenses.
Yet the worm continues to be a thorn in the side of Facebook's in-house investigators, who say they are on the trail of the organized criminal group that created it but, so far, have been denied the satisfaction of arrests.
Koobface, which spreads only on social networks, appeared on Facebook in May 2008 and has hit nearly every major social network since then. While not the first or only worm to strike social sites, it is notable for the way it has relentlessly returned again and again, particularly to Facebook.
There have been 136 versions of Koobface's main component alone, said Ryan R. Flores, a senior threat researcher at the security software company Trend Micro. By continually adapting to obstacles set up by Facebook and the security industry, "Koobface is the one that made it big," he said.
The attacks have pushed Facebook to expand its security team, to develop a sophisticated apparatus for quickly detecting and stopping malicious activity, to create tools for talking with its users about security and to build relationships within the security industry. And the company continues to gather evidence that could help law enforcement arrest and prosecute those responsible.
"Our goal with regard to Koobface, and with every case, is to make sure that the damage stops, and that's our No. 1 priority," said Joe Sullivan, chief security officer at Facebook. "We want the message to get out that we will go on the offensive and that we will be aggressive in these types of cases."
The saber-rattling comes after Nick Bilogorskiy, a malware expert at Facebook, told a crowd at a security industry conference in September that Facebook knew the identities of Koobface's creators and was working with law enforcement. Mr. Sullivan declined to provide further details, citing a company policy on not discussing investigations.
The lack of arrests in the case underscores how difficult it is to find and apprehend online criminals, who often hide their tracks and live in countries where they have little to fear from the law.
Researchers at Information Warfare Monitor, a Canadian group, released a report on Friday that details the Koobface criminal enterprise, saying its operators live in St. Petersburg, Russia. "The Koobface gang might as well be living on Mars, so poorly developed are the mechanisms of international law enforcement cooperation," wrote Ron Deibert and Rafal Rohozinski in the report.
Nart Villeneuve, the report's lead researcher, estimated that the group earned more than $2 million from June 2009 to June 2010 by delivering the victims of its worm to unscrupulous marketers and makers of fake antivirus software. He said the release of the report coincided with a multiweek effort to dismantle the group's infrastructure and take down its "botnet," or network of Koobface-infected PCs, though he conceded it was likely to be rebuilt.
With the group still at large, Facebook can only limit the damage by acting quickly to stop attacks. The company's security team has about 20 members, but at any one time, some 50 Facebook employees from various departments are focused on such problems.
"When it comes to malware, it's kind of a companywide effort because it is one of our biggest threats," said Mr. Sullivan, who spent eight years as a prosecutor with the Justice Department and was its first prosecutor to focus full time on high-tech crime, working closely with the FBI and other agencies.
A Koobface attack starts with an invitation to watch a video and a message about updating the computer's Flash software. Clicking to get the update begins the download of Koobface, which gives criminals control of the computer, while the worm tries to spread itself further through the victim's social network contacts.
The computer then becomes part of the Koobface botnet, which the security software firm Kaspersky Labs estimates is made up of 400,000 to 800,000 PCs worldwide. "That definitely makes Koobface one of the most significant botnets out there," said Roel Schouwenberg, a senior researcher.
To halt Koobface, Facebook uses algorithms that can detect suspicious posts and hijacked accounts, looking for unusual behavior like log-ins from odd places and a surge in messages sent. Facebook also keeps a blacklist of malicious Web links to prevent them from being shared on the site. When Koobface posts find a way through, members of the operations team remove them.
All this typically happens within an hour or so of the suspicious posts, Mr. Sullivan said. "The whole purpose of a social network is to help facilitate communication. So as a result, there's the potential for fast propagation if we don't stay on top of things."
Facebook also has systems to detect the fake profiles the group uses to seed attacks. Still, researchers recently identified more than 20,000 fake accounts, which they reported to Facebook as part of the takedown effort. The profiles tend to include pictures of attractive women, and some accumulated as many as a thousand "friends," even though Facebook warns users not to befriend strangers on the site.
Facebook developers have created roadblocks that can help halt the attacks. For instance, if Facebook detects malicious activity and suspects a user's PC has become infected, it will temporarily suspend the account and require that the user run a free McAfee antivirus scan and remove infections.
The safeguards are not always foolproof. The Koobface group has managed to circumvent "Captcha" tests, or requirements to type words that are difficult for machines to read, by tricking its victims into solving them.
Some in the security industry express frustration over a lack of progress in the Koobface case. Mr. Rohozinski said his group decided to go public with its findings after becoming convinced that there would be no arrests.
Mr. Sullivan is taking a more patient approach. "The speed that investigations and prosecutions move, sometimes they can from the outside seem slow," he said. While the obstacles are real -- gathering evidence across borders is particularly time-consuming -- American law enforcement is committed to fighting international Internet crime, he said.
Raymond A. Pompon, senior security officer at HCL CapitalStream, which provides electronic services for financial institutions, said such prosecutions were tricky. "Oftentimes you do know who it is, but you actually have to prove this person did it -- his hands were on the keyboard."
If or when the time for prosecution comes, Facebook is unlikely to hold back. It has pursued a number of civil suits against spammers and scammers that have led to record judgments.
"We're pretty relentless," Mr. Sullivan said.