Malware analysis

Facebook malware: How do they work, how to protect yourself against them and what to do if you get infected

Ivan Dimov
February 7, 2013 by
Ivan Dimov

1. Introduction

Social media's history precedes the 21th century and ever since then malevolent people have attempted to infiltrate the computers of innocent people using these media in hope of 1) obtaining sensitive information such as bank details and personal information, 2) using the machine as a bridge in major cyber-attacks, 3) impersonating you and using your account for their own ends, 4) installing some form of adware on your computer and bombarding your machine with endless pop-up ads, 5) spreading spam through your computer for material gains, deceiving you to fill out a survey or by any other means try to acquire financial resources and transmitting the virus to more people via your machine with the hope of multiplying their material gains, 6) retaliating, gaining fame or proving that they can infiltrate someone's machine or/and spreading the virus to a lot of people for the same reasons. Generally, every virus is malicious as this is its raison d'être. To effectively combat viruses in Facebook, one must be aware not only of the necessary steps that ought to be taken in order to protect himself, but one also needs to know the various ways in which they can be transmitted to his machine as this will greatly reduce the risks of getting a virus by showing when and where to expect them. In addition, one must also acquaint himself with the means of combatting an existing malicious code on his machine imported by a social media such as Facebook.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Below, I discuss several notorious Facebook viruses and talk about their purpose, their way of dispersal, ways of avoiding them and last but not least, getting rid of them.

2. Popular manners of attack on Facebook

There are 9 popular ways of attacking your Facebook profile. They are:

1) clickjacking, where hidden actions are executed when you click on a button or link in plain sight.

2) Drive-by downloading, where a malware is immediately installed on your device when you visit a website. Drive-by downloading usually occurs without any permission request or notice that you are downloading the malware.

3) Password compromise is when the criminals create false log-in pages to mislead you into giving your login details in Facebook applications or by other means request these details via Facebook's apps.

4) Direct messages can be malicious when one or more of your friends' accounts are compromised (infected) and they unwittingly send you messages which often lead your machine contracting the malware as well.

5) Malicious content is another way in which criminals spread their malware. After your friend is infected, he will most likely send Wall Posts (and other means of spreading the word) with malicious content.

6) Shortened links are a way for criminals to disguise the malign content the real URL contains.

7) Harmful apps can be installed on your device after you click on a malign link. This usually happens when after you click the link and you are requested to update a popular program like Adobe Flash Player (if the malicious app is disguised in a video). These apps may also request for sensitive information or login details.

8) Fake profiles are a widespread practice and that is why you should not add people in Facebook that you do not know. Usually, these profiles include pictures of a very beautiful woman or man. This is in order to make the profile appealing and to trick you into adding the criminal as a friend. Once you do, they will not only spy on your personal information and photos, but also send you malicious content and messages.

9) E-mails are a popular method for phishing and spreading malware. The criminal would send you an e-mail that looks and feels just like a message from Facebook and will claim that you have a new friend request or some notification; when you click on the link to add the friend or check the notification, you will have installed a malware.

3. WORM_STEKCT.EVL

3.1: Background. Stekct.Evl is a relatively new Facebook virus, transmitted via the Facebook pop-up chat window. It can infect your machine if someone from your friend list who is infected unwittingly sends you a harmless-looking link to a website and you open it. If you open such a link from a Facebook chat message, the worm will automatically download a replica of itself. It affects only 1 OS; namely, Windows.

The bad part is that if you are using an older version of this OS (Windows 2000, Windows XP, Windows 9x etc.) and an out-of-date AV product without full real-time protection and sandbox when you get infected, your anti-virus software might not be able to deal with it. Stekct.Evl not only attempts to overrule such protective software but also tries to delete it from your machine. This may make post-infection treatment difficult for some users and the best way for them to deal with this malware is to not get infected at all.

3.2: Prevention. One effective way of avoiding the worm is to ensure that it was a friend of yours who actually send the message. You just have to be patient before opening the link and ask your friend about it, whether they sent it or what it contains. If he wants you to see this link, then he will surely answer.

However, if he does not answer it is very likely a message send by the malware and you should disregard it. Normally, if it is the worm, they will either not respond to your message (as it was not they who sent the original message and they might not be looking at their Facebook at the moment) or they will tell you that they did not send you any link. In both cases, you are safe from the malware and you will not enable it to spread to your friends as well.

After you have ensured that this is a malware, you can notify your friend that they are infected so they can take measures to remove it. Another means to be protected is to have a decent AV product with full real-time protection and sandbox.

3.3: Prevention – Continued. The URL in the Facebook message leads to an archive file named "May09-Picture18.JPG_www.facebook.com.zip". It is indeed an executable file and actually not that cunningly masked. Thus, be sure to trace the path of the link and see if there is a "May09…" should you be in doubt whether a link by your friend leads to this particular malware.

The only problem is that the actual link is not in plain sight due to a URL shortening technique (there are more than 300 URL shortening providers now). Thus, in order to be safe you first have to preview the link, to see where it leads to and what sort of thing is there. Every famous URL shortening service provider gives you the option to preview a shortened link before opening it.

For instance, to get a preview of the link when it is shortened by bit.ly and goo.gl just copy the shortened link to your browser and add a plus sign at the end of the URL. Click here to see a more comprehensive list of ways to preview a shortened URL on the various websites that offer shortening services. Another way of viewing what is the real URL behind the shortened one is to use a URL decoder like http://trueurl.net/. If you cannot get a preview of the link then follow the other step mentioned above to avoid infection.

3.4: Purpose. The purpose of the worm is 1) to collect sensitive information (possibly for identity theft or infiltrating your bank account) and 3) as it uses your Facebook account to send messages to your friends. This is so as the worm Stekct.Evl aside from deleting your anti-virus software installs another worm called "WORM_EBOOM.AC" which monitors your browsing activity in various social media such as Facebook, Twitter, MySpace and WordPress. It examines not only your private messages but also posted messages which were deleted and message posting.

3.5: Post-infection treatment. Treatment includes running your computer in safe mode and deleting several registry values and files via the Registry Editor, then restarting your device in normal mode and running your anti-virus software to perform a scan for files named "WORM_STEKCT.EVL". Click here to see exactly what ought to be deleted in the Trend Micro Threat Encyclopedia; the procedure is described in section "Solution".

If you are using a newer version of Windows and a decent AV product with full real-time protection and sandbox you might be able to deal with it easily as the sandbox will run the risky file virtually and the AV will find the virus immediately after downloading. However, if you do not have such AV product you might not be able to install it after the infection as the worm strives to keep AV products away from your computer.

4. The Koobface Virus (WORM_KOOBFACE.AZ)

4.1: Background.Koobface is a not so recent malware which transmits through Facebook and other social media. Basically, you get a message from a friend in Facebook (not through the pop-up chat window) providing you with a sentence like "This is the video with you on the street" and a link to watch it.

If opened, the link seems like you are entering YouTube (classic phishing) or another trustworthy website and it also seems that a legitimate video is hosted because the name of your Facebook friend is stated in the website (the website could be YouTube or it could be different) to have hosted the video and there is a photo extracted from his Facebook further indicating this.

The thing is that "before" playing the video you are required to install something (such as a newer version of Adobe Flash Player) and if you click "Install" (thus, downloading setup.exe) the worm is saved on your device. The worm then browses through your cookies, connects to your social media sites via the login information saved in these cookies and attempts to infect your friends by sending them the same message.

4.2: Purpose.The purposes of this worm, from the objectives mentioned in the introduction are 4, 1, and 3. Namely, the worm will alter your Google search results to consist of sites it wants to advertise and, thus, you will be bombarded with search results, which are ads and generate money for the wicked guys (4). Also, if you own and develop websites, the Koobface worm may steal your passwords and misuse them (1). Moreover, the malware may open on your machine pop-ups asking you to install "security software" which serves their own ends; the malware may also use your social media accounts to send messages to your friends (3).

4.3: Prevention.Prevention methods are many. Firstly, you should only install software from respected and trustworthy websites (like the Adobe Flash Player update in the above mentioned example). Secondly, you should always confirm that the link points to the trustworthy website it claims to point to. Thus, to effectively guard yourself against the worm and the phishing attempt, you should always check if the spelling of the website is correct, there might be a missing letter or an extra one.

You should turn on any firewall you might have and have reliable AV software installed which is actively protecting you. Another way to avoid the Koobface is explained in 2.2 concerning Stekct.Evl, but it somewhat applies to this particular worm as well.Last but not least,make sure that your browser gets frequently updated and that you use a browser that has an anti-phishing blacklist.

4.4: Post-infection treatment. It is not difficult to get rid of Koobface. Firstly, you should remove your cookies and change your password. This will disable the worm from using your Facebook account. Secondly, you should enable login approvals. This will make logging in from a new device to require a security code sent to your mobile phone.

Thus, even if you get the Koobface, your Facebook will be unharmed. To effectively remove the worm and eliminate the other consequences stemming from the presence of Koobface on your device just run a full-system scan using up-to-date AV software.It is that simple.

5. Malicious applications on Facebook

Malicious applications on Facebook have appeared and disappeared just as quickly, but not without leaving a trail of destruction. The thing is that Facebook promptly notices these malicious apps and removes them from its directory but many people get infected before, as Facebook has 1 billion users and each second that such a malware is in the apps database, a lot of people get affected.

5.1: "WARNING FROM FACEBOOK TEAM" (defunct)– analysis of similar malicious apps in the context of the former one.

5.2: Background. This malicious malware was removed from the Facebook's apps database, but it was active last year. This does not mean that similar malicious apps do not circulate Facebook's directory as we speak. If you are security savvy, you will immediately notice that such a warning cannot be from the Facebook team as it is dispersed through your friend list.

Once you got curious and opened the request notification that one of your friends sent you, the app would have taken you to its index where you would be further informed that you have to verify your Facebook account, otherwise it would be terminated. This warning may have caused a sense of urgency to act for many,making them agree to whatever the app requested from them.

Thus, they would not only give it their basic information, access to their profile information and photos, but also enable it to post on their behalf (status updates, photos, etc…). In this way, the application would have had control over an ever-expanding number of people. Similar malicious apps exist and have the same goals which are merely wrapped in a different message.

5.3: Purpose of similar malicious apps. The purpose of this (now defunct) and similar malicious apps which circulate the Facebook's directoryis 3) and 5), or 1) (for similar apps) from the Introduction. Namely, to impersonate you and use your Facebook account to expand their scope of victims and to lead every victim to a page which claims that you need to complete a survey in order to continue – the so called survey scams which, if filled out, would provide material gains or other similar apps may intend to obtain sensitive information to the hackers.

5.4: Treatment. Treatment methods vary: You can search in Google or other search engines for an app that you suspect of being malicious and check if there are reports claiming that it is malicious or scam, if it is – then definitely someone wrote about it. You can also ask the friend who sent the message whether the app worked for him or if it proved malicious. Most importantly, trust only the apps of reliable developers/creators. This will help you avoid giving permissions to rogue apps. It is also useful to be able to deduce from the apps messages, context and presented ideas the degree of its reliability and credibility.

5.5: Post-infection treatment. Assuming that you have installed a similar app, you should be certain that it is dispersing spam to your Wall, Timeline and friends, so you should delete all traces of its messages, including references to it in the newsfeed or/and profile. Next, you need to terminate its control over your Facebook. This is done by clicking the down triangle in your Facebook, Account Settings and then clicking on Applications.

After you have entered, just pick the one(s) that are malicious, remove and block them from the list of apps which you have authorized to interact with your Facebook. Also, do not forget to signal Facebook for this misconduct by entering the app window and clicking the "Report/Contact This App" link.

5.6: Further context. An instance of a similar malicious app is Profile Viewer which had the same purpose as the false Facebook team warning. Specifically, it claims that it does or shows something which it does not do or show (that you can see who viewed your profile and when) so you can give the app permissions, which it will use to your detriment. In addition, it is also a survey scam as it requires that you fill out a survey before "continuing".

Bear in mind that all apps which claim to track your profile views are fake, as developers are not allowed access to the information necessary to create "Profile Viewer" applications. This means that one should be very cautious when an app is claiming to add new features to the Facebook platform, such as a profile viewer or dislike button, as such apps are most likely fake and contain malware.

Also, be aware that as Facebook has around 1 billion users more and more people will try to achieve their own ends by tricking people, so one should be cautious and attentive to detail in order to differentiate between fake and real apps. The malicious app's demand will definitely come from some popular notion, idea, person or event. This is proved by the fact that numerous survey scams were "successful" by claiming that they show the demise of Osama Bin Laden, Whitney Houston or Lady Gaga.

Finally, you should not give your Facebook account and password to third-party websites, you should not click on a notification (for instance, that somebody tagged you in a picture) that seems illegitimate, instead you should open it yourself from your profile (if the notification is real) and, lastly, to avoid scam mails which pretend to be coming from Facebook team itself, bear in mind that the Facebook team will never ask for your password via email and that legitimate mails from Facebook usually begin with "update" rather than "notification".

6. Conclusion.

It can be concluded that malware has penetrated the Facebook community, to some extent. There are several reasons (I have enumerated 6 in the Introduction) why malware is created. These malware take various forms, whether of applications or executable files which you will not even notice installing and have negative effects on your device. To effectively combat Facebook malware one must:

  • Regularly change your password and not use cookies
  • Remove any apps that seem shady and that have not performed what they claimed they perform
  • Be aware that messages in your inbox, chat messages, posts on Walls and Timelines, and notifications (such as a "notification" that claims that somebody tagged him in a picture) may contain malware if the friend sharing them is infected and one should ask your friend whether it was he who sent the message
  • Enable login approvals
  • Use up-to-date anti-virus software, preferably, with full real-time protection and up-to-date version of his OS
  • Enable a firewall and use up-to-date browser that has an anti-phishing blacklist
  • Check the path of shortened URLs by previewing them or using a URL decoder
  • Not give your Facebook account and password to third-party websites
  • Delete spam, viral or malicious messages that can be found in your Facebook profile and report any malware found
  • Only use the services of trustworthy developers
  • If a dubious link points you to a well-known website, always check the website's spelling to avoid phishing
  • Note that legit mails from Facebook usually consist of "update" notices instead of "notification" and that Facebook will never ask for his password via mail
  • Don't click on a notification if it appears illegitimate, but see what it is about from your profile (if the notification is real)
  • Deduce from the app's messages, context and presented ideas the degree of its reliability and credibility
  • Only add friends that you know are real – don't add unknown people as friends to your Facebook account.
  • Don't trust apps which claim to add a new feature to the Facebook platform, such as profile viewer and dislike button
  • Avoid links which lead to surveys that need to fill out before you"continue," as they are most likely scams
  • Be aware that popular ideas, notions, people and events are often a basis for scams
  • Periodically read materials on the latest threats in Facebook to understand how to handle them.

References:

  1. Rob Waugh, 'Beware the new computer virus spreading via chat messaging window on Facebook', 21 May 2012. Available at: http://www.dailymail.co.uk/sciencetech/article-2147486/Facebook-instant-messaging-window-used-spread-virus.html (Accessed 01/02/2013)
  2. Island Crisis (IC), 'Steckt.Evl – New Facebook Virus Spreading Through Chat'. Available at: http://www.islandcrisis.net/steckt-evl-new-facebook-virus/ (Accessed 01/02/2013)
  3. Cris Pantanilla, 'Worm Spreads via Facebook Private Messages, Instant Messengers', 17 May 2012. Available at: http://blog.trendmicro.com/trendlabs-security-intelligence/worm-spreads-via-facebook-private-messages-instant-messengers/ (Accessed 01/02/2013)
  4. Joshua Long, 'How to Preview Shortened URLs (TinyURL, bit.ly, is.gd, and more)', 11 April 2009. Available at: http://security.thejoshmeister.com/2009/04/how-to-preview-shortened-urls-tinyurl.html (Accessed 01/02/2013)
  5. Rik Ferguson, 'New Variant of Koobface Worm Spreading on Facebook", 1 March 2009. Available at: http://blog.trendmicro.com/trendlabs-security-intelligence/new-variant-of-koobface-worm-spreading-on-facebook/ (Accessed 01/02/2013)
  6. Facebook Help Center, 'Malware'. Available at: http://www.facebook.com/help/320234818071511/ (Accessed 01/02/2013)
  7. Michael Kwan, 'Facebook Viruses'. Available at: http://socialnetworking.lovetoknow.com/Facebook_Viruses (Accessed 02/02/2013)
  8. Trend Micro Threat Encyclopedia, 'WORM_STEKCT.EVL'. Available at: http://about-threats.trendmicro.com/us/malware/WORM_STEKCT.EVL (Accessed 02/02/2013)
  9. Umesh Wanve, 'Malicious App Sends Bogus Facebook Warnings', 6 June 2012. Available at: http://blogs.mcafee.com/mcafee-labs/malicious-app-sends-bogus-facebook-warnings (Accessed 02/02/2013)
  10. Facecrooks.com, 'WARNING : Announcement From FACEB00K Verification Team. All Profiles Must Be Verified – Facebook Scam', May 26 2012. Available at: http://facecrooks.com/Scam-Watch/warning-announcement-from-faceb00k-verification-team-all-profiles-must-be-verified-before-1st-june-2012-to-avoid-scams-and-scams-under-sopa-act-the-unverfied-accounts-will-be-terminated-facebook-s.html (Accessed 02/02/2013)
  11. James Brack, 'How to Avoid Viruses on Social Media', 24 June 2011. Available at: http://www.netlz.com/seo-blog/2011/06/24/how-to-avoid-viruses-on-social-media/ (Accessed 03/02/2013)
  12. Charlene Jimenez, 'Spotting the sneaky Facebook virus going around', 31 August 2012. Available at: http://agbeat.com/social-media/in-case-missed-it-theres-sneaky-facebook-virus-going-around/ (Accessed 03/02/2013)
  13. IAnewsletter, 'Social Media Malware', Vol.15, 2012. Available at: http://iac.dtic.mil/csiac/download/Vol15_No2.pdf (Accessed 05/02/2013)
Ivan Dimov
Ivan Dimov

Ivan is a student of IT and Information Security. He is currently working toward a Master's degree in the field of Informatics in Sweden. He is also a freelance web developer engaged in both front-end and back-end coding and a tech writer. Whenever he is not in front of an Interned-enabled device, he is probably reading a print book or traveling.