Snipe.Net Geeky, sweary things.

Facebook and MySpace Users, Beware!

F

I have received two virus emails from two unrelated friends, indicating their accounts have been compromised. The messages are being sent through Facebook and both have had a spammy sounding subject line and a link to a geocities website. This was suspicious enough, but the fact that one message came from a friend I haven’t spoken to much in a year made it even more so.

The first virus email subject was “RE: You were caught on our secret camera!” and the second was “RE: You have a great hair cut in this movie” . The geocities addresses they pointed to were for user’s reedgates21 and richiemack11. I’ve googled both addresses and gotten no results, so my guess is that they are randomly generating geocities accounts and generating these emails. A co-worker just one too – variation on a theme. Subject is “Don’t cry! Your mom will never see this movie”, also pointing to geocities, user name rkssbcyzk. Another one, “I’m not kidding I just saw your pics all over a site address swimcaw” has come through as a wall post.

The links in the Facebook messages point to websites that contain viruses. Do NOT click on them.

Below are some examples of what they look like. (These are just images, so you can click on them for larger versions to see how the messages come into your inbox.)

Screenshot 1
Screenshot 2
Screenshot 2
Screenshot 3

If you’re using Firefox, your browser should warn you that you’re about to try to access a page that has been linked to virus/malware when you click on the Facebook messages in question, but if you’re using an older version of IE (shame on you!), you may not get any warning at all.

When You Receive a Virus Email

  1. DO NOT CLICK ON THE LINK
  2. Send an e-mail (or call) the sender, letting them know they are likely infected with a virus
  3. Suggest to the friend that they change their password from another, uninfected computer, and follow the steps further down in this article to remove the virus. (The method they use will depend on which virus they’ve been infected with.)
  4. Once the virus is cleared from the sender’s system, suggest they install a free anti-keylogger program and switching to Firefox just to be safe

Ultimately, its like anything else – common sense will go a long way. If the email seems odd (for example, the fact that the subjects sometimes start with “RE:”, as if they were replies to a message you sent, but you never sent a message with that subject), the phrasing seems off or not something your friend would actually say, something is probably awry. If you’re unsure, contact the friend directly and ask if they sent it to you.

This has been happening a lot lately, and the scenario Tech Crunch describes in this article sounds a lot like what’s happening here.

Keep in mind… Facebook applications do NOT have access to your password, so unless you installed an application that “required you” to download an executable application (any kind of .exe, .msi, etc), your Facebook applications should NOT be the cause. (Being an application developer, I can say that I couldn’t steal someone’s password even if I wanted to, using their API. HOWEVER there have been several reports of phony applications and groups that require some sort of download in order to get the full experience (Secret Crush was one of them).

NO application or group should EVER require you to download and install anything. If they do, report them to the social network immediately.

Also keep in mind that these viruses are not limited to Facebook users. I’m more familiar with the Facebook scenario because I avoid MySpace like the plague, but every time I login there are spammy and/or virus-y emails awaiting me. This isn’t as much a flaw in the Facebook platform as a result of social networks still being young and going through some growing pains. MySpace has just as much of a problem with these issues, if not moreso, since they have been historically less concerned about user experience and safety.

Another Variation – Fake YouTube Links

Another variation of the viruses being sent around Facebook is a similar message to users suggesting they are appearing in a YouTube video and providing the supposed link to view it. Instead of actually seeing a video, the virus advises viewers they need to download an updated version of Flash, which if followed may install a virus into the user’s computer. More info on that version, including sample messages and screenshots, is available here.

Why Its Working

If you find yourself infected, don’t be too hard on yourself. People have become so used to receiving emails from Facebook asking them to confirm this or that that it could be argued that people are more prone to click on a link that looks like it came from Facebook without being as diligent as we would be if we weren’t used to preforming this same action 10 times a day for legitimate Facebook actions. For example, most users of Facebook are familiar with the “Joe has added you as a friend on Facebook€¦” stock email.

Some users are conditioned to follow this process whenever they receive an email of this sort. Some people can receive this email several times every day and perform this login procedure so often it becomes automatic. This simple, clean design is very easy for a phisher to mimic. Since users are conditioned to follow this process blindly, they might not notice that the email is spoofed or that the address bar is slightly incorrect. This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions.

If You Clicked on the Link And Your Computer is Infected

I spent some time trolling Facebook’s forums to see if anyone had any specific direction on how to remove this virus from an infected machine. I found a few possible solutions, although since the people posting didn’t know or didn’t mention the name of the specific virus they were infected with, it may take some trial and error to find the solution that works best for you.

If your virus detection software determines that you’re infected with Bolivar23.exe, you can click here for directions on how to remove it.

In early August, there was a different one going around, called Koobface. Kaspersky’s website writes:

Net-Worm.Win32.Koobface.a spreads when a user accesses his/ her MySpace account. The worm creates a range of commentaries to friends’ accounts. Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as:
  • Paris Hilton Tosses Dwarf On The Street
  • Examiners Caught Downloading Grades From The Internet
  • Hello
  • You must see it!!! LOL. My friend catched you on hidden cam;
  • Is it really celebrity? Funny Moments and many others.
  • Yoou’re so prettty goood on thiis viddeo.
Messages and comments on MySpace and Facebook include links to youtube.[skip].pl. If the user clicks on this link, s/he is redirected to a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying the user needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codesetup.exe is downloaded to the victim’s machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa. [more]

One confirmed method of removing this virus is by downloading MalwareBytes – for some at the time, it seemed to be the only out of the box software that was able to remove it.

Still another that was around this time, Troj/Dloadr-BPL Trojan horse, was reported on by Sophos:

Messages left on Facebook users’ walls are urging members to view a video (which pretends to be hosted on a Google website), but clicking on the link and visiting the webpage takes users to a site which urges them to download an executable to watch the movie.

Sophos detects the executable file as the Troj/Dloadr-BPL Trojan horse, which in turn downloads further malicious code (detected as Troj/Agent-HJX), and displays an innocent image of a court jester sticking his tongue out. [more]

In Conclusion

This isn’t the first wave of social network viruses, nor will it be the last. There isn’t one social network that is more prone to them than others. As we allow social networks to become a bigger part of how we communicate, we must simply remain cautious and avoid the temptation to become complacent. Pay attention to the links you click on that are sent through Facebook, the same way you pay attention to suspicious e-mails that come in through normal e-mail.

About the author

snipe

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me me at @snipe.lol, or read more...

By snipe
Snipe.Net Geeky, sweary things.

About Me

I'm a tech nerd from NY/CA now living in Lisbon, Portugal. I run Grokability, Inc, and run several open source projects, including Snipe-IT Asset Management. Tweet at me @snipeyhead, skeet me me at @snipe.lol, or read more...

Get in Touch