I received a wall message “from” an old friend today:
It’s got everything a worm needs. There’s the bait, raising my intrigue. There’s the payload. And there’s trust.
This isn’t as aimless as the random “download this file for a larger pocket-rocket”; I know the person that Facebook says sent this message. In my case, not enough to trust a random .exe, but in many people’s cases, this sort of crap might fly!
Needless to say, Facebook needs to examine its security framework. I see a few possible attack vectors: XSS from fbapps and other sites, fbapp loopholes and a bot running on somebody’s PC. At the very least Facebook needs to consider blocking people posting .exe files but this would only serve as a temporary fix as it would be comically trivial to post a link to a page that redirected to a .exe file.
If you get a message like this, delete it. It’s on your wall so other, perhaps less educated people may see it, click it and get infected. Then tell the person that they may have a problem. They need to look closely at the apps they have installed and also strongly consider running a thorough virus scan.
But now for the really scary part: AV detection.
I submitted this to an online virus scanner which runs the file through various AVs at its end and tells you which thought the file was infected. I’m not overly sure which versions and which updates it was running, but that also applies to the real world. People are sometimes lax about applying updates. Anyway, only 36% of scans registered this as a virus.
Amongst the ones that didn’t are some big names: Symantec, McAfee, Kaspersky, Sophos, AVG, Nod32, ClamAV and F-Prot. This is not an exhaustive list. There were many more failures. These brands account for what must be 95-98% of the home and enterprise AV market.
Some of the ones that passed (and also saying more than “Suspicious file”): AntiVir, Avast, BitDefender, F-Secure, Microsoft and TrendMicro.
Here’s the full table of results:
Antivirus | Result |
---|---|
AhnLab-V3 | - |
AntiVir | DR/Delphi.Gen |
Authentium | - |
Avast | Win32:Delf-GNA |
AVG | - |
BitDefender | Trojan.Dropper.Delf.Crypt.C |
CAT-QuickHeal | (Suspicious) - DNAScan |
ClamAV | - |
DrWeb | - |
eSafe | Suspicious File |
eTrust-Vet | - |
Ewido | - |
F-Prot | - |
F-Secure | Suspicious:W32/Malware!Gemini |
Fortinet | - |
GData | Win32:Delf-GNA |
Ikarus | - |
K7AntiVirus | - |
Kaspersky | - |
McAfee | - |
Microsoft | VirTool:Win32/DelfInject.gen!T |
NOD32v2 | - |
Norman | - |
Panda | Suspicious file |
PCTools | - |
Prevx1 | Suspicious |
Rising | - |
Sophos | - |
Sunbelt | Malware.Win32.CodeAnalyzer!cobra (v) |
Symantec | - |
TheHacker | - |
TrendMicro | PAK_Generic.001 |
VBA32 | - |
ViRobot | - |
VirusBuster | - |
Webwasher-Gateway | Trojan.Dropper.Delphi.Gen |
The payload, in case you’re wondering, is a trojan dropper. That can subsequently grab things for sending spam and post itself to other people’s Facebook profiles.