Oli Warner About Contact Subscribe

Facebook worm

Thursday, 7 August 2008 security trojan worm

Facebook isn’t all bad but here’s a message that just got sent to my wall for me and all my friends to download. If they’re not careful, Facebook could be going the way of email.

I received a wall message “from” an old friend today:

Screenshot of a message asking me to download a virus

It’s got everything a worm needs. There’s the bait, raising my intrigue. There’s the payload. And there’s trust.

This isn’t as aimless as the random “download this file for a larger pocket-rocket”; I know the person that Facebook says sent this message. In my case, not enough to trust a random .exe, but in many people’s cases, this sort of crap might fly!

Needless to say, Facebook needs to examine its security framework. I see a few possible attack vectors: XSS from fbapps and other sites, fbapp loopholes and a bot running on somebody’s PC. At the very least Facebook needs to consider blocking people posting .exe files but this would only serve as a temporary fix as it would be comically trivial to post a link to a page that redirected to a .exe file.

If you get a message like this, delete it. It’s on your wall so other, perhaps less educated people may see it, click it and get infected. Then tell the person that they may have a problem. They need to look closely at the apps they have installed and also strongly consider running a thorough virus scan.

But now for the really scary part: AV detection.

I submitted this to an online virus scanner which runs the file through various AVs at its end and tells you which thought the file was infected. I’m not overly sure which versions and which updates it was running, but that also applies to the real world. People are sometimes lax about applying updates. Anyway, only 36% of scans registered this as a virus.

Amongst the ones that didn’t are some big names: Symantec, McAfee, Kaspersky, Sophos, AVG, Nod32, ClamAV and F-Prot. This is not an exhaustive list. There were many more failures. These brands account for what must be 95-98% of the home and enterprise AV market.

Some of the ones that passed (and also saying more than “Suspicious file”): AntiVir, Avast, BitDefender, F-Secure, Microsoft and TrendMicro.

Here’s the full table of results:

Antivirus Result
AhnLab-V3 -
AntiVir DR/Delphi.Gen
Authentium -
Avast Win32:Delf-GNA
AVG -
BitDefender Trojan.Dropper.Delf.Crypt.C
CAT-QuickHeal (Suspicious) - DNAScan
ClamAV -
DrWeb -
eSafe Suspicious File
eTrust-Vet -
Ewido -
F-Prot -
F-Secure Suspicious:W32/Malware!Gemini
Fortinet -
GData Win32:Delf-GNA
Ikarus -
K7AntiVirus -
Kaspersky -
McAfee -
Microsoft VirTool:Win32/DelfInject.gen!T
NOD32v2 -
Norman -
Panda Suspicious file
PCTools -
Prevx1 Suspicious
Rising -
Sophos -
Sunbelt Malware.Win32.CodeAnalyzer!cobra (v)
Symantec -
TheHacker -
TrendMicro PAK_Generic.001
VBA32 -
ViRobot -
VirusBuster -
Webwasher-Gateway Trojan.Dropper.Delphi.Gen

The payload, in case you’re wondering, is a trojan dropper. That can subsequently grab things for sending spam and post itself to other people’s Facebook profiles.