About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


Facebook Worm

While Sean was visiting the NY office this past week, he noticed a Facebook message from one of his friends that included a suspicious link. When he clicked it, Firefox displayed a Reported Attack Site alert. Clearly, Sean's friend did not intentionally send this message.

Very few of my friends have been infected. Adam, who has approximately 2,500 friends on Facebook, estimates that only 50 of them have been infected. Facebook also appears to be reacting as aggressively as possible, so the worm hasn't been as successful as Samy. Yet.

A quick search uncovered a story with more information. The root cause of the problem is a Windows worm called W32.Koobface.A. Symantec has the following to say:

When the worm executes, it copies itself as the following file:

c:\windows\mstre6.exe

It also creates the following file which serves as an infection marker:xi

c:\windows\tmark2.dat

It then creates the following registry entry so that it runs every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"

The worm deletes the following registry key:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

When executed for the first time on a given machine it will display the following message box in order to distract user's attention from its real purpose:

Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.

This description omits one important detail. If the worm finds cookies related to a social networking site such as Facebook, it hijacks your session. Sending a message to all of your friends is just one of many things the worm could do. Infecting as many users as possible might be the first step in a much more sophisticated attack.

If you're infected, be sure to read Symantec's removal instructions.

This is a situation where heuristics like the safeguards Nate wrote about last year would be helpful. Clearly, Facebook can't protect its Windows users from worms, so it has to devise safeguards that can help prevent session hijacking even when a user's cookies have been compromised. There is no perfect solution, but I think more can be done to protect users.

To Facebook's credit, the link it displays in these forged messages is not direct. This makes it easy to detect the attack and warn users who try to follow the link:

The link you have clicked has been identified by Facebook as a malicious web site. For the safety and privacy of your Facebook account, we strongly suggest you avoid visiting this address.

In addition, anyone who tries to send a message with a link to geocities.com is denied and shown the following message:

Warning: This Message Contains Blocked Content.
Some content in this message has been reported as abusive by Facebook users.

It seems like Facebook is doing a good job addressing a problem that's not their fault. Brian has kindly offered to put me in touch with someone from Facebook's security team, so hopefully I'll have more information to share soon.

About this post

Facebook Worm was posted on Sun, 09 Nov 2008. If you liked it, follow me on Twitter or share:

8 comments

1.Paul Reinheimer said:

Was the worm smart enough to mimic the headers of the browser supporting the cookie or could this be filtered through browser fingerprinting? (rather than going all out with more advanced heuristics).

Mon, 10 Nov 2008 at 00:35:29 GMT Link


2.Tim said:

One more reason to use a mac ;)

Mon, 10 Nov 2008 at 00:37:05 GMT Link


3.Chris Shiflett said:

Paul, I'm not sure. I don't have access to a computer running Windows, but I'm hoping the Facebook security team won't mind sharing this sort of information.

Just making users enter their password before sending a message to all of their friends would mitigate how quickly something like this can spread. For users like me who almost never send a message to more than one person at a time, make us enter our password when doing so. Safeguards like these are very interesting and often overlooked.

Tim, I'm a happy Mac user myself. :-)

Mon, 10 Nov 2008 at 00:56:01 GMT Link


4.Radu said:

Interesting article - unfortunately more and more legitimate websites are reported attacked just like ratebeer.com has.

Google is doing a good job in reporting the sites as attacked (even from the search results you are not able to go to the attacked website)

Requesting a password or simpler as entering a captha image for every user action may be a good idea but not in every case.

You see... the worm may try to send instead of a message a note on the wall or other kinds of messages.

Instead facebook could stop messages that come in fast sequence (no more than 2 messages per minute); it can try also to ask for password for every 10 or 20 user actions (when a user interacts with a form.)

Tim - using a mac will protect you against windows worms but wait till mac will spread more and someone will write a worm designed just for mac.

Mon, 10 Nov 2008 at 05:19:09 GMT Link


5.yawnmoth said:

Given that Samy required no action on the users part, above and beyond viewing an infected users profile, whereas this one requires a little bit of social engineering to get someone to click on a link, I think it goes without saying that this one wouldn't be as effective.

I mean, if you have 2,500 friends, you don't seriously click on every link every one of them sends you, do you?

Mon, 10 Nov 2008 at 15:15:37 GMT Link


6.Chris Shiflett said:

Yes, good point. The message this worm sends is really just a phishing attack, and Facebook is doing a pretty good job protecting users. It can't possibly be as effective as Samy.

Judging by Symantec's description, the worm propagates itself using other social networks as well, but I don't know many details yet.

Mon, 10 Nov 2008 at 15:26:03 GMT Link


7.Stelian Mocanita said:

Not much I know so far, didn't get far with debugging it to get as far as http headers but I know that it gets all the content via zzzping.com.

And it seems like it got to myspace as well. Will try to dig a bit more into it maybe Chris will find a fix for it.

Tue, 11 Nov 2008 at 08:36:37 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.