Facebook Worm

09 Nov 2008

While Sean was visiting the NY office this past week, he noticed a Facebook message from one of his friends that included a suspicious link. When he clicked it, Firefox displayed a Reported Attack Site alert. Clearly, Sean's friend did not intentionally send this message.

Very few of my friends have been infected. Adam, who has approximately 2,500 friends on Facebook, estimates that only 50 of them have been infected. Facebook also appears to be reacting as aggressively as possible, so the worm hasn't been as successful as Samy. Yet.

A quick search uncovered a story with more information. The root cause of the problem is a Windows worm called W32.Koobface.A. Symantec has the following to say:

When the worm executes, it copies itself as the following file:


It also creates the following file which serves as an infection marker:xi


It then creates the following registry entry so that it runs every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"

The worm deletes the following registry key:


When executed for the first time on a given machine it will display the following message box in order to distract user's attention from its real purpose:

Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.

This description omits one important detail. If the worm finds cookies related to a social networking site such as Facebook, it hijacks your session. Sending a message to all of your friends is just one of many things the worm could do. Infecting as many users as possible might be the first step in a much more sophisticated attack.

If you're infected, be sure to read Symantec's removal instructions.

This is a situation where heuristics like the safeguards Nate wrote about last year would be helpful. Clearly, Facebook can't protect its Windows users from worms, so it has to devise safeguards that can help prevent session hijacking even when a user's cookies have been compromised. There is no perfect solution, but I think more can be done to protect users.

To Facebook's credit, the link it displays in these forged messages is not direct. This makes it easy to detect the attack and warn users who try to follow the link:

The link you have clicked has been identified by Facebook as a malicious web site. For the safety and privacy of your Facebook account, we strongly suggest you avoid visiting this address.

In addition, anyone who tries to send a message with a link to geocities.com is denied and shown the following message:

Warning: This Message Contains Blocked Content.
Some content in this message has been reported as abusive by Facebook users.

It seems like Facebook is doing a good job addressing a problem that's not their fault. Brian has kindly offered to put me in touch with someone from Facebook's security team, so hopefully I'll have more information to share soon.