The History of Social Networking Viruses - Facebook, MySpace, and Orkut

Page content


We tend to recognize the presence of malware by the effects we see after an infection or other compromise of our computer system has taken place. Although this is troublesome enough, we seldom think of the chain of events that has to take place to lead from the creation of the malware to the distribution of it to our PC.

Virus researchers call that last part the “attack vector.” It’s how the malicious software actually comes to a computer. One popular method of dissemination is to trick the user into initiating the download and installation of the software himself. Another type is called “drive by” infection. In this scenario, the user merely visits a website and his system becomes compromised when malicious code in the webpage exploits a security flaw in his web browser or in a browser plug-in.

In the last few years, the popular social networking websites have themselves been targets of attacks aimed at their users. Let’s look at some of the methods used to mount these attacks, and then we’ll discuss arming ourselves to protect us when using social networking websites.


In what is generally considered the first major attack against a social network, a worm called “MySpace.A” started operating on December 9, 2005. It began by letting a user (possibly the virus creator) add a million new “friends” to his personal contacts. This virus did not spread automatically.

The next major attack arrived near the end of 2006. It was a worm that propagated when one visited an infected user profile, but it was not very effective malware. Mainly, it just spread.

But other real trouble for MySpace quickly followed. Also in 2006, an advertising banner exploit infected over a million users’ computers with spyware. Another attack involved a script-injection in user profiles that hijacked user’s browsers to a website that blamed the U.S. government for the 9/11 attacks.

Then, in early 2007, a worm that made use of a vulnerability in Apple’s Quicktime Player and that passed itself off as a movie infected the profile of any user visiting another already-corrupted profile. When users tried to view the movie, they were directed to a website that downloaded an adware application.

Source: PandaLabs (In Spanish)


In February, 2007, an Illinois man was arrested for allegedly luring an under-age boy while posing as a teenage girl. This was the first known time that a social networking website had been used to contact a minor for predatory reasons.

Source: The Register

Then in December 2007, Facebook took legal action against a Canadian pornography company. They alleged that individuals there had used scripts to access more than 200,000 Facebook web pages and gather private profile data such as site affiliations, email address, and Facebook account passwords. This was an information-gathering attack rather than a direct attack, but the end result was the same – massive amounts of new spam – for both the compromised users and all their contacts.

Source: PC Pro

In October, 2008, the University of Massachusetts at Amherst warned campus Windows users of a worm named “Koobface” which spread both in MySpace and Facebook via a link to a video file. This required actually downloading the video file. When clicked, it showed an image of a jester and installed a couple of worms.

Source: Office of Information Technologies at Amherst

This infection allowed the attacker to open and close the CD/DVD tray (which would be spooky to the victim), open an FTP server, and send off information about the user’s machine.

Source: MacAfee

Update: March 3, 2009. A new variant of Koobface now appearing at Facebook involves a message that appears to be from a friend and that contains a link to a video. When the user clicks the link, he or she is advised that Adobe Flash is out of date and needs to be updated. Clicking the link actually installs the virus on the user’s PC. Once lodged there, it examines the stored cookies on the machine from those belonging to Facebook and several other social websites, retrieving passwords and login names as it goes. For each compromised account, it repeats it malicious message for each registered friend.

A related scam involves a fake message claiming that the user has been turned in for violation of the terms of service.

Update: December 1, 2009. Bredolab is a Facebook scam consisting of phoney password reset emails. The emails appear to come from “[email protected]” and reference an attachment. The attachment is a zip file that contains one or more .exe files that install the malware. This then makes the PC part of the Bredolab botnet network.

In late November a potentially embarrassing, but not otherwise malignant malware appeared on Facebook targeting wall images. When a user clicks on a risque image, the malware moves the image to the user’s own page. Typically, the image would display something similar to “Want 2 see something hot? Click da button, baby.” When the same image and come-on appears on the other page, it appears as if the owner had set it himself. To avoid this problem, simply don’t “click da button.”

What’s noteworthy, and what we’ll touch on again in the conclusion, is that it still takes a deliberate act by the user to become vulnerable to these types of scams. Treat everything you get from a “friend” with suspicion, even to the point of contacting them off-channel to see if they really sent you the message.

Source: ComputerWorld

Next: Orkut Attacked, Advice About Avoiding Computer Damage from Malware, and Our Conclusion


The popular Brazilian and Indian social service Orkut has also been attacked. The user would see what appeared to be a YouTube video of a Brazilian television star in their scrapbook. However, when they clicked the link, they were advised that they were missing a codec and should download it. The download really consisted of a trojan that infected all the user’s contact’s scrapbooks in the same fashion. A clever twist is that the malware actually did take the user to see the video while it did its evil deeds.

Source: Panda Labs

Panda Security also has a list of practical tips for using social networking sites. One is about not sharing any more personal information with the site other than the minimum required and never reveal your login details, passwords, or email addresses when in any public areas. (You can find the complete list of their recommendations at the link above.)


So what does this recent history of trouble imply for users of social networking websites? What can you do to avoid contracting a computer virus or obtaining malware at social networking websites?

As always, be vigilant. Don’t be click happy. If you suspect that a link isn’t what it appears, don’t click it, especially in scrapbooks or other parts of your profile or user pages where you wouldn’t expect to find them.

Use a brand-name antivirus solution, and keep it current.

Enable Windows Update and set it to check at a time when your PC is actually on. (The default in Vista is to check at 3:00 am.)

Watch for signs of a compromised PC, such as sudden performance issues, crashes, and even people writing to ask you why you sent them spam. If you think your PC is infected, run your antivirus software. If you still are concerned, try an online scanner or a different antivirus provider.

And keep an ear to the ground by following the tech news. Information about major infections propagates almost as fast the infections themselves.

Finally, be sociable, but be careful out there, too.

Further Reading

Netbooks vs. Notebooks - from Intel’s Perspective - Interested in a new mini-computer like a netbook? Wondering exactly what a netbook is and what you’d gain and have to give up over a notebook? We can help. At Intel Developer Forum 2008, Intel manager Mooly Eden gave us Intel’s perspective on the question.

How to FIX Vista’s Explorer Folder Template Forgetfulness - If Windows Vista is confused and is showing your documents in a multimedia folder and your music in a documents folder, we’ve been there, too. This article will show you how, step-by-step, to tame Vista’s template folder forgetfulness until, we hope, Microsoft finally fixes the problem for good.

How to Block Third-Party Tracking Cookies in Internet Explorer and Firefox - Are you leaving tracks everywhere you go online? If your browser is sharing cookies with a website you’re not even (knowingly) visiting, you’ve got third-party tracking cookies on your PC. This article defines cookies and looks at blocking a certain type.