Yoggie CEO Blog

The internet has been buzzing the last couple of weeks regarding the “Facebook virus” that started to spread around.
That’s natural, the Social Web, Web 2.0 and Facebook specifically have been the hot internet subject material in the last couple of weeks. Practically everyone is on Facebook these days.
And now Facebook is used to spread viruses! Scary right?

Well.. The truth of the matter is that technically, Facebook is not exploited in any way. Yes, it’s a convenient platform for a virus to work with, but the virus is not using any vulnerability in Facebook itself.
The Facebook Virus is really a great example of how a virus, and a relatively simple one at that, can infect so many people by using a series of multiple attack tactics and a lot of “social engineering“.

The attack begins with a classic Phishing email attack. Many people are spammed by emails luring them into clicking a link claiming to be to Facebook.
Clicking on the link takes you to a Phishing Web site that looks exactly like Facebook, and even has a very similar domain name.
The user is asked to login, and enters his username and password credentials.
At that moment the trap has sprung and the attacker has complete control over the victim’s Facebook, since he can login as the user. This victim is “patient zero” in a sense.

The next step is the attacker logs into the victim’s Facebook and sends a message to all the victim’s friends – Providing a link to a “funny video”.
The Website looks almost exactly like YouTube and the user tries to play the video, triggering a message saying that the Flash player needs to be updated.
The user than downloads the “Flash player update” which is the actual payload of the whole attack – This is the malware. This malware, or spyware that opens your computer up completely and herds into a botnet.

To summarize:

While Facebook does indeed provide a great platform for viral distribution, the technical methods by which attackers reach their victims are anything but new. It’s simply an elegant combination of “good old” Phishing and social engineering. Each step could have maybe been detected by a clever user, but the combination of them works better on the target. The same spyware link could have just been sent in an email – but very few people would have clicked it. What makes it stronger is that a known and trusted friend on Facebook sent it. Moreover, you don’t just download anything, it’s simply a Flash update file that you need in order to see that great funny movie.
So nothing special technically here, but a great example for social engineering techniques.

This is how can you protect yourself from this attack:

1. Since the attack, as described above, is composed of several consecutive smaller attacks, your defense should be multi-layered as well. This attack can be stopped by your security measures in several different points. The phishing email can be detected as such and blocked, the phishing Web site can be detected as such and blocked and the spyware application itself can be detected by an anti-virus and stopped. You should have all these measure in place.
And how do we at Yoggie implement this? Simple. Yoggie’s products cram 12 different security applications to run inside the device. You have multiple engines protecting you transparently. This attack would be blocked at multiple different steps by Yoggie devices. Moreover, the attack itself was first detected and reported by Kaspersky, which is the anti-virus engine that Yoggie uses inside.

2. Make sure all your security measures are up to date!
This is super important – It’s not enough to have security measure in place. The security applications you use must always be updated otherwise they are useless.
In a worst-case-scenario, when your security measures would have failed to detect the Facebook attack at any other point – An updated anti-virus would already be familiar with the spyware’s signature and stop it dead in its tracks.
And how do we at Yoggie implement this? Even simpler. All Yoggie’s products automatically and transparently update all the different engines running inside. EVERY 5 MINUTES. And the user doesn’t even feel it is happening.

3. The most important and simplest advice is this – Never EVER click on anything before careful consideration. I can’t stress this enough. It can be a link in an email message. A link in an instant message. A Web link in Facebook. Always be suspicious of such links. Always check the browser’s status bar before actually clicking the link, to make sure the URL you will get to is indeed where you want to go.

Note: this post is based on researching the reported information online and not by first-hand analysis of the virus.

Yoggie Security Systems, being a security company, is part of a very serious industry. We pride ourselves at trying to provide the best products that will provide the best security for our customers. As such, we are constantly monitoring and researching the latest news in the security world and, as everyone knows today, the risks are there. New threats, vulnerabilities and attacks are discovered daily. Economically, both corporations and individual consumers lose billions of dollars annually due to security-related damages. But, one must be aware that there is also a lot of FUD (Fear, uncertainty and doubt) spread around by sensationalists.

Case in point: Just last week amazing headlines started to appear around the net. Headlines like:

• Vista’s Security Rendered Completely Useless by New Exploit
• Vista Blown Open By Unstoppable Hack
• Researchers use browser to elude Vista memory protections
• Vista security discovered to be even more useless
• Vista’s Security Rendered Completely Useless by New Exploit

…and others, similar in tone.

In a nutshell, the reports described a Windows Vista “super-vulnerability” announced in the Black Hat security conference going on right now that essentially can load and run any code on your browser. Moreover, the vulnerability was described as so powerful and low-level that no fix is possible for this.

This created a brief storm of buzz describing just how disastrous this super-hack is and how Windows Vista is completely dead now. (And I quote from one site “Expect that chairs to be flying over at Microsoft HQ about this…”).

This whole story made the rounds for a couple of days until finally it died down when some bona fide security researchers examined the actual report and explained that the discovery is far from the beast that was described.

One great article that explains this was published yesterday by Ed Bott, titled Windows security rendered useless? Uh, not exactly.

What Ed wrote, in short, is that the discovery made by Sotirov and Dowd does indeed exist but it can only work on computers that have been exploited previously. Bottom line? It’s far from the security risk presented initially.

Another great explanation of this was published by Peter Bright at Ars Technica, titled The sky isn’t falling: a look at a new Vista security bypass.

And here is where I get to my point. The security risks out there on the internet do exist. There is no need to invent non-existent ones as there are more than enough real threats out there.

The second point? Don’t immediately jump to conclusions over any headline, let true security researchers examine the actual technical papers before screaming the sky is falling.