“Facebook” Virus

As I look out at the eastward moving scenery, on my way to clean a conficker.B worm off a customer’s system, it seems only fitting to recount a nasty little run in I had with a “Facebook” virus at a dinner party.  Conversation flowed over thinly sliced pork chops with a delicious caper sauce, salad and challah.  (Pork chops and challah??  That’s a meal I’ll never see twice!)  I was telling my hosts and their roommate about my IT job when Katie, whom I’d just met, dropped the usual line with the usual pleading look.  “Say, do you think you could take a look at my computer?  I’ve been having a problem with my Facebook account.”

Dan watched me closely across the table.  He’s bribed me with food and drink on many occasions to fix his computer, iPod, TV whatever.  So as I leaned back and said “Sure,” he well knew my patient smile and tone of voice conveyed the sentiment, “I’ve looked at dozens of computer problems today.  But I guess I can look at one more.”  Maybe I don’t have the backbone Dilbert has to say no.  Maybe I’m just a softie for a damsel in distress.

Anyway I sat down at her laptop and Katie proceeded to show me her problem.  In short whenever she opened Facebook on Firefox, the top of her page contained an obvious advertisement: “Find your Secret Crush”.

This particular piece of malware is a throwback to 2008.  ZDNet covered the basic story in January of that year.  But as I was a latecomer to Facebook, I missed out on that particular issue.  So I sat down at her laptop and began the investigation.

Hunt for Clues

First thing’s first.  What is this thing?  It could be something on Facebook or something on her laptop.  If the former, it should be easy to block it.  But it’s necessary to keep an open mind.  “I get this message every time I log onto Facebook with Firefox, and usually with Internet Explorer,” Katie told me as I contemplated the advertisement.  “I don’t know how to get rid of the app or unlike this page.”

“When did you start seeing it?  And what do you think triggered this secret crush’s appearance?”

“I think I accidentally clicked on something by accident and it screwed things up,” she replied.  “Something popped up and I clicked Yes or Okay by accident.  And I think that’s when I started seeig the messages.”  Ah.  A clue.  But what did she click on?  (Accidentally by accident.)  Was it a friend request?  A pop up?  I kept digging through Facebook.

Katie had been putting up with this for a couple months and not paying particular attention to the symptoms or patterns.  So I continued on the false assumption it was an issue within Facebook.  We checked her apps.  She had none approved.  We checked her friends.  She knew everyone in her small circle.  We checked her favorites pages, her likes and interests.  She had none.  After digging through all the Facebook settings I was still nowhere.  Just to see what would happen, I clicked on the Secret Crush link.  I’m pretty cavalier about safety when I’m working on somebody else’s problem for free.  😉  Besides, I was pretty sure the damage had already been done.  Up popped either a sketchy dating service or possibly a way to attract stalkers.  I’m not sure.

Several Google searches involving the key words Facebook and Secret Crush turned up a couple articles from 2008 about Facebook ending it’s relationship with Secret Crush because of privacy concerns.  But none explained where the ad was originating from.

Quick tip: If Facebook says they have privacy concerns about someone there’s a great chance you want to steer clear of them.

It was already late for a Sunday night and I wasn’t very far along.  Three points suggested the problem was with the laptop rather than her Facebook account.  First was how tightly locked down Katie’s Facebook account was:  no apps, no likes, no favorites.  If Katie had somehow subscribed to Secret Crush, Facebook should have had a means of opting out.  Facebook has improved on this over the years.  Second, was the news articles in 2008.  Apparently this issue flared three years ago.  If Secret Crush was still out there, there’s no reason they wouldn’t continue targeting Facebook’s self-preservation challenged herd of users.  The third clue came unexpectedly from Internet Explorer.

Windows XP Security Warning

Facebook uses a secure http connection (https://) for logging in.  The default security settings on IE send a system dialog box whenever your secure page is displaying something insecure.  Whenever Katie logged into Facebook via IE and clicked “No”, the add (which was now about boobs instead of secret crushes) didn’t appear.  So it was likely something on her laptop.  The final confirmation came when Katie logged into Facebook using another computer and did not get any adds at the top.

Fixing it.  Or  Trying to Anyway

Katie’s Facebook account was very well maintained.  Her laptop not so much.  Using Add/Remove Programs and the Processes tab of the Task Manager, I found a trove of programs and executables doing little more than wasting resources.  Included in the hodgepodge were three demo/trial security programs which clearly weren’t doing their job if they missed a three year old virus.  I removed some of the more useless programs as a matter of course.  But the real search for the Secret Crush malware was more elusive.  Malware is always harder to find.

Now on a search and destroy mission I picked processes out of the Task Manager that looked suspicious and Googled them.  Sure enough I found the malware executable.  A search of the C:\ drive and I had it cornered when suddenly I hit a brick wall: Windows Vista Security.

On Windows XP and Windows 7, I could have easily grabbed the file and deleted it.  Now however Windows Vista was denying Katie’s own admin account access to remove the infection.  In another twenty minutes I could have undone the security impasses and cleaned out the infection.  However it was late so I admitted defeat.  Katie said she would take her laptop to Geek Squad and get some reputable antivirus software.  Sometimes you don’t win them all.

Self Defense Tips

Katie’s experience is instructive.  She keeps a clean Facebook account and except for one mistake watches what she clicks.  But her computer was ill equipped to protect itself.  The anti-virus software trials she had on her machine were ineffective.  And the additional bloatware she had running made it that much harder to find the infection.  My advice to Katie and anyone else in her shoes is:

  1. Think before you click!  Clicking messages without reading them is always the fastest way to get into trouble.
  2. Get a solid security suite.  Everyone knows Symantec/Norton and McAfee on the high end.  Spyware Doctor which is included in Google Pack is not bad for the price.  There are other decent anti-virus/anti-malware solutions as well.
  3. Make sure your not running extra junk you don’t need.  Bloatware and trialware installed by the manufacturer is a constant drag on your performance at best.  Remove software you are not using to keep your PC running respectably and make it easier to track down any nasties.  A good rule of thumb is that if the list of processes in Task Manager take a full computer screen or more to display, you probably have too much junk running.
  4. For Moses’s sake, stop using Vista!  Downgrade to Windows XP or upgrade to Windows 7.  I’ve long endorsed Macs but with the release of Vista, I finally stopped recommending Windows as an operating system to anyone, no matter how entrenched the user.

Every user is responsible for their own safety.  But with a system running only the essential software plus a good antivirus suite can help you even the odds against inbound malware.

Advertisements
This entry was posted in facebook, virus and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s