About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Facebook Worm

While Sean was visiting the NY office this past week, he noticed a Facebook message from one of his friends that included a suspicious link. When he clicked it, Firefox displayed a Reported Attack Site alert. Clearly, Sean's friend did not intentionally send this message.

Very few of my friends have been infected. Adam, who has approximately 2,500 friends on Facebook, estimates that only 50 of them have been infected. Facebook also appears to be reacting as aggressively as possible, so the worm hasn't been as successful as Samy. Yet.

A quick search uncovered a story with more information. The root cause of the problem is a Windows worm called W32.Koobface.A. Symantec has the following to say:

When the worm executes, it copies itself as the following file:

c:\windows\mstre6.exe

It also creates the following file which serves as an infection marker:xi

c:\windows\tmark2.dat

It then creates the following registry entry so that it runs every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"

The worm deletes the following registry key:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

When executed for the first time on a given machine it will display the following message box in order to distract user's attention from its real purpose:

Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.

This description omits one important detail. If the worm finds cookies related to a social networking site such as Facebook, it hijacks your session. Sending a message to all of your friends is just one of many things the worm could do. Infecting as many users as possible might be the first step in a much more sophisticated attack.

If you're infected, be sure to read Symantec's removal instructions.

This is a situation where heuristics like the safeguards Nate wrote about last year would be helpful. Clearly, Facebook can't protect its Windows users from worms, so it has to devise safeguards that can help prevent session hijacking even when a user's cookies have been compromised. There is no perfect solution, but I think more can be done to protect users.

To Facebook's credit, the link it displays in these forged messages is not direct. This makes it easy to detect the attack and warn users who try to follow the link:

The link you have clicked has been identified by Facebook as a malicious web site. For the safety and privacy of your Facebook account, we strongly suggest you avoid visiting this address.

In addition, anyone who tries to send a message with a link to geocities.com is denied and shown the following message:

Warning: This Message Contains Blocked Content.
Some content in this message has been reported as abusive by Facebook users.

It seems like Facebook is doing a good job addressing a problem that's not their fault. Brian has kindly offered to put me in touch with someone from Facebook's security team, so hopefully I'll have more information to share soon.

About This Post

Facebook Worm was posted on Sun, 09 Nov 2008 at 23:52:17 GMT.

7 Comments

1. Paul Reinheimer's GravatarPaul Reinheimer said:

Was the worm smart enough to mimic the headers of the browser supporting the cookie or could this be filtered through browser fingerprinting? (rather than going all out with more advanced heuristics).

Mon, 10 Nov 2008 at 00:35:29 GMT Link

2. Tim's GravatarTim said:

One more reason to use a mac ;)

Mon, 10 Nov 2008 at 00:37:05 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

Paul, I'm not sure. I don't have access to a computer running Windows, but I'm hoping the Facebook security team won't mind sharing this sort of information.

Just making users enter their password before sending a message to all of their friends would mitigate how quickly something like this can spread. For users like me who almost never send a message to more than one person at a time, make us enter our password when doing so. Safeguards like these are very interesting and often overlooked.

Tim, I'm a happy Mac user myself. :-)

Mon, 10 Nov 2008 at 00:56:01 GMT Link

4. Radu's GravatarRadu said:

Interesting article - unfortunately more and more legitimate websites are reported attacked just like ratebeer.com has.

Google is doing a good job in reporting the sites as attacked (even from the search results you are not able to go to the attacked website)

Requesting a password or simpler as entering a captha image for every user action may be a good idea but not in every case.

You see... the worm may try to send instead of a message a note on the wall or other kinds of messages.

Instead facebook could stop messages that come in fast sequence (no more than 2 messages per minute); it can try also to ask for password for every 10 or 20 user actions (when a user interacts with a form.)

Tim - using a mac will protect you against windows worms but wait till mac will spread more and someone will write a worm designed just for mac.

Mon, 10 Nov 2008 at 05:19:09 GMT Link

5. yawnmoth's Gravataryawnmoth said:

Given that Samy required no action on the users part, above and beyond viewing an infected users profile, whereas this one requires a little bit of social engineering to get someone to click on a link, I think it goes without saying that this one wouldn't be as effective.

I mean, if you have 2,500 friends, you don't seriously click on every link every one of them sends you, do you?

Mon, 10 Nov 2008 at 15:15:37 GMT Link

6. Chris Shiflett's GravatarChris Shiflett said:

Yes, good point. The message this worm sends is really just a phishing attack, and Facebook is doing a pretty good job protecting users. It can't possibly be as effective as Samy.

Judging by Symantec's description, the worm propagates itself using other social networks as well, but I don't know many details yet.

Mon, 10 Nov 2008 at 15:26:03 GMT Link

7. Stelian Mocanita's GravatarStelian Mocanita said:

Not much I know so far, didn't get far with debugging it to get as far as http headers but I know that it gets all the content via zzzping.com.

And it seems like it got to myspace as well. Will try to dig a bit more into it maybe Chris will find a fix for it.

Tue, 11 Nov 2008 at 08:36:37 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

PHP UK Conference

27 Feb 2009

At Olympia Conference Centre, London, England.

PHP Québec

04 - 06 Mar 2009

At Hilton Montréal Hotel, Montréal, Québec, Canada.

php|tek

19 - 22 May 2009

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

New Comments

Chris Shiflett wrote:

I know, I know. :-)

Posted in Seven Things
nick wrote:

Go see a doctor!

Posted in Seven Things
Chris Shiflett wrote:

Nope, I moved to Prospect Heights (Brooklyn) about 4 years ago. It's a much nicer neighborhood to...

Posted in PHP Advent 2008
Eric Bryant wrote:

Oh wow.Where do you live now? Are you still in Manhattan?

Posted in PHP Advent 2008
Chris Shiflett wrote:

Hey Eric, thanks for commenting. I used to live on 34th St, directly across the street from the N...

Posted in PHP Advent 2008

Browse Comments