McAfee says it got Koobface infection rates wrong

Facebook a 'treasure trove' of personally identifiable information
Facebook a 'treasure trove' of personally identifiable information

McAfee has said that detections of the Koobface worm have declined, after previously claiming that it had seen a resurgence.

The prevalence of the Koobface worm, best known for its rampage through social networks Facebook and MySpace a few years back, continues to decline, McAfee has now admitted.

The security company said it made a mistake when it reported last week, as part of its first-quarter threat report, that rates of the malware were dramatically climbing.

McAfee initially declared a resurgence because what it believed were unique samples of Koobface actually turned out to be instances where part of the worm's underlying code was packaged as part of other binary files and malware, said McAfee researcher Craig Schmugar in a blog post. 

“Besides the number of changes made to a malware's code base, sample counts can also be influenced by repacking of the same underlying code (a common evasion tactic used by malware distributors), garbage data or junk instructions added to binaries, and other forms of server or client polymorphisms (such as self-modifying code or web server scripts that result in a unique binary being served with each download),” he wrote.

“These factors led to our Koobface statistics being off by a large margin,” he continued, adding that Koobface remains in a ‘continuing decline' since Facebook outed the group behind the threat 18 months ago.

Sign up to our newsletters