FaceBook Malware And Countermeasures in a Nutshell
Social media’s history precedes the 21th century
and ever since then malevolent people have attempted to infiltrate the
computers of innocent people using these media in hope of
- Obtaining sensitive information such as bank details and personal information,
- Using the machine as a bridge in major cyber-attacks
- Impersonating you and using your account for their own ends,
- Installing some form of adware on your computer and bombarding your machine with endless pop-up ads, spreading spam through your computer for material gains, deceiving you to fill out a survey or by any other means try to acquire financial resources and transmitting the virus to more people via your machine with the hope of multiplying their material gains,
- Retaliating, gaining fame or proving that they can infiltrate someone’s machine or/and spreading the virus to a lot of people for the same reasons.
Generally, every virus is malicious
as this is its raison d’ĂȘtre. To effectively combat viruses in
Facebook, one must be aware not only of the necessary steps that ought
to be taken in order to protect himself, but one also needs to know the
various ways in which they can be transmitted to his machine as this
will greatly reduce the risks of getting a virus by showing when and
where to expect them. In addition, one must also acquaint himself with
the means of combating an existing malicious code on his machine imported by a social media such as Facebook.
Below, I discuss several notorious Facebook viruses and talk about their purpose, their way of dispersal, ways of avoiding them and last but not least, getting rid of them.
There are 9 popular ways of attacking your Facebook profile. They are:
1. Clickjacking, where hidden actions are executed when you click on a button or link in plain sight.
2. Drive-by downloading,
where a malware is immediately installed on your device when you visit a
website. Drive-by downloading usually occurs without any permission
request or notice that you are downloading the malware.
3. Password compromise
is when the criminals create false log-in pages to mislead you into
giving your login details in Facebook applications or by other means
request these details via Facebook’s apps.
4. Direct messages
can be malicious when one or more of your friends’ accounts are
compromised (infected) and they unwittingly send you messages which
often lead your machine contracting the malware as well.
5. Malicious content
is another way in which criminals spread their malware. After your
friend is infected, he will most likely send Wall Posts (and other means
of spreading the word) with malicious content.
6. Shortened links are a way for criminals to disguise the malign content the real URL contains.
6. Shortened links are a way for criminals to disguise the malign content the real URL contains.
7. Harmful apps
can be installed on your device after you click on a malign link. This
usually happens when after you click the link and you are requested to
update a popular program like Adobe Flash Player (if the malicious app
is disguised in a video). These apps may also request for sensitive
information or login details.
8. Fake profiles
are a widespread practice and that is why you should not add people in
Facebook that you do not know. Usually, these profiles include pictures
of a very beautiful woman or man. This is in order to make the profile
appealing and to trick you into adding the criminal as a friend. Once
you do, they will not only spy on your personal information and photos,
but also send you malicious content and messages.
WORM_STEKCT.EVL
Stekct.Evl is a relatively new Facebook virus, transmitted via the Facebook pop-up
chat window. It can infect your machine if someone from your friend
list who is infected unwittingly sends you a harmless-looking link to a
website and you open it. If you open such a link from a Facebook chat
message, the worm will automatically download a replica of itself. It
affects only 1 OS; namely, Windows.
The bad part is that if you are using an older version of this OS (Windows 2000, Windows XP, Windows 9x etc.) and an out-of-date AV product without full real-time protection and sandbox when you get infected, your anti-virus software might not be able to deal with it. Stekct.Evl
not only attempts to overrule such protective software but also tries
to delete it from your machine. This may make post-infection treatment
difficult for some users and the best way for them to deal with this
malware is to not get infected at all.
Prevention.
One
effective way of avoiding the worm is to ensure that it was a friend of
yours who actually send the message. You just have to be patient before
opening the link and ask your friend about it, whether they sent it or
what it contains. If he wants you to see this link, then he will surely
answer.
However,
if he does not answer it is very likely a message send by the malware
and you should disregard it. Normally, if it is the worm, they will
either not respond to your message (as it was not they who sent the
original message and they might not be looking at their Facebook at the moment)
or they will tell you that they did not send you any link. In both
cases, you are safe from the malware and you will not enable it to
spread to your friends as well.
After you have ensured that this is a malware, you can notify your
friend that they are infected so they can take measures to remove it.
Another means to be protected is to have a decent AV product with full
real-time protection and sandbox.
Prevention – Continued
It is indeed an executable file and actually not that cunningly masked. Thus, be sure to trace the path of the link and see if there is a “May09…” should you be in doubt whether a link by your friend leads to this particular malware.
The URL in the Facebook message leads to an archive file named
“May09-Picture18.JPG_www.facebook.com.zip”
It is indeed an executable file and actually not that cunningly masked. Thus, be sure to trace the path of the link and see if there is a “May09…” should you be in doubt whether a link by your friend leads to this particular malware.
The only problem is that the actual link is not in plain sight due to a URL shortening technique (there are more than 300 URL shortening providers now).
Thus, in order to be safe you first have to preview the link, to see
where it leads to and what sort of thing is there. Every famous URL
shortening service provider gives you the option to preview a shortened
link before opening it.
For
instance, to get a preview of the link when it is shortened by bit.ly
and goo.gl just copy the shortened link to your browser and add a plus
sign at the end of the URL. Click here to see a more comprehensive list
of ways to preview a shortened URL on the various websites that
offer shortening services. Another way of viewing what is the real URL
behind the shortened one is to use a URL decoder like
http://trueurl.net/. If you cannot get a preview of the link then follow
the other step mentioned above to avoid infection.
Purpose
The purpose of the worm is to collect sensitive information (possibly for identity theft
or infiltrating your bank account) and as it uses your Facebook account
to send messages to your friends. This is so as the worm Stekct.Evl
aside from deleting your anti-virus software installs another worm
called “WORM_EBOOM.AC” which monitors your browsing activity in various
social media such as Facebook, Twitter, MySpace and WordPress. It
examines not only your private messages but also posted messages which
were deleted and message posting.
Post-infection treatment.
Treatment
includes running your computer in safe mode and deleting several
registry values and files via the Registry Editor, then restarting your
device in normal mode and running your anti-virus software to perform a
scan for files named “WORM_STEKCT.EVL”. Click here to see exactly what
ought to be deleted in the Trend Micro Threat Encyclopedia; the
procedure is described in section “Solution”.
The Koobface Virus (WORM_KOOBFACE.AZ)
Koobface
is a not so recent malware which transmits through Facebook and other
social media. Basically, you get a message from a friend in Facebook
(not through the pop-up chat window) providing you with a sentence like “This is the video with you on the street” and a link to watch it.
If
opened, the link seems like you are entering YouTube (classic phishing)
or another trustworthy website and it also seems that a legitimate
video is hosted because the name of your Facebook friend is stated in
the website (the website could be YouTube or it could be different) to
have hosted the video and there is a photo extracted from his Facebook
further indicating this.
The thing is that “before”
playing the video you are required to install something (such as a
newer version of Adobe Flash Player) and if you click “Install” (thus,
downloading setup.exe) the worm is saved on your device. The worm
then browses through your cookies, connects to your social media sites
via the login information saved in these cookies and attempts to infect
your friends by sending them the same message.
Purpose
The
purposes of this worm, from the objectives mentioned in the
introduction are 4, 1, and 3.Namely, the worm will alter your Google
search results to consist of sites it wants to advertise and, thus, you
will be bombarded with search results, which are ads and generate money
for the wicked guys .Also, if you own and develop websites, the Koobface
worm may steal your passwords and misuse them Moreover, the malware
may open on your machine pop-ups asking you to install “security
software” which serves their own ends; the malware may also use your
social media accounts to send messages to your friends
Prevention
Prevention methods are many. Firstly, you should only install software from respected and trustworthy websites (like the Adobe Flash Player update
in the above mentioned example). Secondly, you should always confirm
that the link points to the trustworthy website it claims to point to.
Thus, to effectively guard yourself against the worm and the phishing attempt, you should always check if the spelling of the website is correct, there might be a missing letter or an extra one.
You
should turn on any firewall you might have and have reliable AV
software installed which is actively protecting you. Another way to
avoid the Koobface is explained earlier concerning Stekct.Evl,
but it somewhat applies to this particular worm as well.Last but not
least,make sure that your browser gets frequently updated and that you
use a browser that has an anti-phishing blacklist.
Post-infection treatment.
It
is not difficult to get rid of Koobface. Firstly, you should remove
your cookies and change your password. This will disable the worm from
using your Facebook account. Secondly, you should enable login
approvals. This will make logging in from a new device to require a
security code sent to your mobile phone.
Thus,
even if you get the Koobface, your Facebook will be unharmed. To
effectively remove the worm and eliminate the other consequences
stemming from the presence of Koobface on your device just run a
full-system scan using up-to-date AV software.It is that simple.
Malicious applications on Facebook
Malicious applications on Facebook have appeared and disappeared just as quickly, but not without leaving a trail of destruction. The thing is that Facebook promptly notices these malicious apps and removes them from its directory but many people get infected before, as Facebook has 1 billion users and each second that such a malware is in the apps database, a lot of people get affected.
“WARNING FROM FACEBOOK TEAM” (defunct)– analysis of similar malicious apps in the context of the former one.
Background.
This malicious malware
was removed from the Facebook’s apps database, but it was active last
year. This does not mean that similar malicious apps do not circulate
Facebook’s directory as we speak. If you are security savvy, you will
immediately notice that such a warning cannot be from the Facebook team
as it is dispersed through your friend list.
Once
you got curious and opened the request notification that one of your
friends sent you, the app would have taken you to its index where you
would be further informed that you have to verify your Facebook account,
otherwise it would be terminated. This warning may have caused a sense
of urgency to act for many,making them agree to whatever the app
requested from them.
Thus,
they would not only give it their basic information, access to their
profile information and photos, but also enable it to post on their
behalf (status updates, photos, etc…). In this way, the application
would have had control over an ever-expanding number of people. Similar
malicious apps exist and have the same goals which are merely wrapped in
a different message.
Purpose
The
purpose of this (now defunct) and similar malicious apps which
circulate the Facebook’s directory is and from the Introduction.
Namely, to impersonate you and use your Facebook account to expand their
scope of victims and to lead every victim to a page which claims that
you need to complete a survey in order to continue – the so
called survey scams which, if filled out, would provide material gains
or other similar apps may intend to obtain sensitive information to the
hackers.
Treatment
Treatment methods vary: You can search in Google
or other search engines for an app that you suspect of being malicious
and check if there are reports claiming that it is malicious or scam, if
it is – then definitely someone wrote about it. You can also ask the
friend who sent the message whether the app worked for him or if it
proved malicious. Most importantly, trust only the apps of reliable
developers/creators. This will help you avoid giving permissions to
rogue apps. It is also useful to be able to deduce from the apps
messages, context and presented ideas the degree of its reliability and
credibility.
Post-infection treatment
Assuming
that you have installed a similar app, you should be certain that it is
dispersing spam to your Wall, Timeline and friends, so you should
delete all traces of its messages, including references to it in the
newsfeed or/and profile. Next, you need to terminate its control over
your Facebook. This is done by clicking the down triangle in your Facebook, Account Settings and then clicking on Applications.
After
you have entered, just pick the one(s) that are malicious, remove and
block them from the list of apps which you have authorized to interact
with your Facebook. Also, do not forget to signal Facebook for this
misconduct by entering the app window and clicking the “Report/Contact This App” link.
Further context
An
instance of a similar malicious app is Profile Viewer which had the
same purpose as the false Facebook team warning. Specifically, it claims
that it does or shows something which it does not do or show (that you
can see who viewed your profile and when) so you can give the app
permissions, which it will use to your detriment. In addition, it is
also a survey scam as it requires that you fill out a survey before “continuing”.
Bear
in mind that all apps which claim to track your profile views are fake,
as developers are not allowed access to the information necessary to
create “Profile Viewer” applications. This means that one should
be very cautious when an app is claiming to add new features to the
Facebook platform, such as a profile viewer or dislike button, as such
apps are most likely fake and contain malware.
Also,
be aware that as Facebook has around 1 billion users more and more
people will try to achieve their own ends by tricking people, so one
should be cautious and attentive to detail in order to differentiate
between fake and real apps. The malicious app’s demand will definitely
come from some popular notion, idea, person or event. This is proved by
the fact that numerous survey scams were “successful” by claiming that
they show the demise of Osama Bin Laden, Whitney Houston or Lady Gaga.
Finally,
you should not give your Facebook account and password to third-party
websites, you should not click on a notification (for instance, that
somebody tagged you in a picture) that seems illegitimate, instead you
should open it yourself from your profile (if the notification is real)
and, lastly, to avoid scam mails which pretend to be coming from
Facebook team itself, bear in mind that the Facebook team will never ask
for your password via email and that legitimate mails from Facebook
usually begin with “update” rather than “notification”.
Conclusion
It can be concluded that malware has penetrated the Facebook community, to some extent. There are several reasons (I have enumerated 6 in the Introduction) why malware is created. These malware take various forms, whether of applications or executable files which you will not even notice installing and have negative effects on your device. To effectively combat Facebook malware one must:
- Regularly change your password and not use cookies
- Remove any apps that seem shady and that have not performed what they claimed they perform
- Be aware that messages in your inbox, chat messages, posts on Walls and Timelines, and notifications (such as a “notification” that claims that somebody tagged him in a picture) may contain malware if the friend sharing them is infected and one should ask your friend whether it was he who sent the message
- Enable login approvals
- Use up-to-date anti-virus software, preferably, with full real-time protection and up-to-date version of his OS
- Enable a firewall and use up-to-date browser that has an anti-phishing blacklist
- Check the path of shortened URLs by previewing them or using a URL decoder
- Not give your Facebook account and password to third-party websites
- Delete spam, viral or malicious messages that can be found in your Facebook profile and report any malware found
- Only use the services of trustworthy developers
- If a dubious link points you to a well-known website, always check the website’s spelling to avoid phishing
- Note that legit mails from Facebook usually consist of “update” notices instead of “notification” and that Facebook will never ask for his password via mail
- Don’t click on a notification if it appears illegitimate, but see what it is about from your profile (if the notification is real)
- Deduce from the app’s messages, context and presented ideas the degree of its reliability and credibility
- Only add friends that you know are real – don’t add unknown people as friends to your Facebook account.
- Don’t trust apps which claim to add a new feature to the Facebook platform, such as profile viewer and dislike button
- Avoid links which lead to surveys that need to fill out before you”continue,” as they are most likely scams
- Be aware that popular ideas, notions, people and events are often a basis for scams
- Periodically read materials on the latest threats in Facebook to understand how to handle them.