PandaLabs has discovered that variant number 56 of the Boface family of worms has just appeared, Boface.BJ.worm. Largely due to the enormous global popularity of Facebook and the potential it offers for reaching numerous users, each of these variants has been designed especially to use this social network to distribute and download malware.
The BJ variant in particular uses Facebook to download and install rogue anti-malware and trick users into believing they are infected and consequently buy a fake antivirus.
According to data compiled through the free Panda ActiveScan online scanner, 1 percent of all computers scanned were infected by a variant of Boface since August 2008. Luis Corrons, technical director of PandaLabs states, “Extrapolating this data with an estimate of the number of Facebook users, about 200 million, we approximate that two million users could be infected. The increasing number of variants in circulation is due to the aim of cyber-crooks to infect as many users as possible and therefore boost their financial returns.”
The number of infections observed for this type of malware since August 2008, indicates an exponential growth rate as high as 1,200 percent, from then to April 2009. With respect to the geographic distribution of infections, almost 40 percent are in the United States, with the rest distributed across many different countries.
The rogue anti-malware business is one of the most prolific cyber crime activities, with respect to the number of examples in circulation. PandaLabs forecast quarterly growth of more than 100 percent for the current year. Here’s a graph that represents the growth of rogue antivirus in the past year:
The new Boface.BJ.worm reaches computers in several ways using email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file-sharing networks, etc., to infect unsuspecting users.
Once the computer has been infected, the worm takes four hours to kick into action, activating once infected users have entered their Facebook accounts. In that moment, it sends a message to the entire network of friends, including the infected user.
Anyone clicking on the link in the message will be taken to a fake YouTube page (called “YuoTube”) where they will supposedly be able to see a video. However, they will first be prompted to download a media player. If the user accepts, the fake antivirus will be immediately downloaded. From the moment it is installed, this malware will launch messages claiming that the computer is infected and that the user must buy a solution. Specifically, one of the fake antivirus products displayed in this interface:
Given the viral nature of Facebook networks, it is fair to assume that this message will spread exponentially leading to very high infection rates. Corrons adds, “Users of social networks like this normally trust the messages they receive, so the number of reads and clicks is often very high. Clearly, in addition to the security measures of the social network itself, users have to take on board certain security and personal privacy basics, to avoid falling victim to fraud and contributing to its propagation.”
To prevent this type of fraud, PandaLabs offers the following advice:
1. Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, through other social networks and even via email.
2. If you do click on any such link, check the target page carefully (in this example, it is clearly a fraud) and if you don’t recognize it, close your browser.
3. Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.
4. If, however, you have still gone ahead and downloaded and installed some type of executable file, and your computer begins to launch messages saying that you are infected and that you should buy an antivirus, this is most likely a fraud. Never entered your credit card details, as you will be putting your money at direct risk. And above all, make sure you get a second opinion on the security of your system with any reliable free online security solution.
5. As a general rule, make sure your computer is well protected to ensure that you are not exposed to the risk of infection from any malicious code.