– The 56th variant of a family of worms that use Facebook has emerged. It downloads and installs a fake antivirus -Boface.BJ.worm- to defraud users

– The worldwide infection ratio of this family of worms now stands at 1%, and the increase in the number of infections has reached 1,200% in recent months


Variant number 56 of the Boface family of worms has just appeared. Each of these variants has been designed especially to use Facebook to distribute and download malware. This is largely due to the enormous global popularity of this social network and the potential it offers for reaching numerous users. The BJ variant in particular uses Facebook to download and install rogue anti-malware and trick users into believing they are infected and consequently buy a fake antivirus. According to data compiled through the free Panda ActiveScan online scanner, since August 2008, 1% of all computers scanned were infected by a variant of Boface.

According to Luis Corrons, technical director of PandaLabs: “Extrapolating this data in line with the number of Facebook users, some 200 million, we arrive at a figure of 2 million users that could be infected. The increasing number of variants in circulation is due to the aim of cyber-crooks to infect as many users as possible and therefore boost their financial returns”.

With respect to the geographic distribution of infections, almost 40% are in the United States, with the rest distributed across many different countries. Pic available at: http://www.flickr.com/photos/panda_security/3527895905/

The number of infections observed for this type of malware since August, indicates an exponential growth rate as high as 1,200%, comparing April 2009 with August 2008. The rogue anti-malware business is one of the most prolific cyber crime activities, with respect to the number of examples in circulation. PandaLabs forecast quarterly growth of more than 100% for the current year. http://www.flickr.com/photos/panda_security/3528707694/

The new Boface.BJ worm reaches computers in several ways: email messages with attachments, Internet downloads, files transferred via FTP, IRC channels, P2P file-sharing networks, etc. Users are infected without realizing. Once the computer has been infected, the worm takes four hours to kick into action. And it does this once infected users have entered their Facebook accounts. In that moment, it sends a message to the entire network of friends, including the infected user. Picture at: http://www.flickr.com/photos/panda_security/3528707512/

Anyone clicking on the link in the message will be taken to a fake YouTube page (called “YuoTube”): http://www.flickr.com/photos/panda_security/3527896167/

where they will supposedly be able to see a video. However, they will first be prompted to download a media player. If the user accepts, the fake antivirus will be immediately downloaded. From the moment it is installed, this malware will launch messages claiming that the computer is infected and that the user must buy a solution. Specifically, one of the fake antivirus products displayed in this interface: http://www.flickr.com/photos/panda_security/3528707634/

Given the viral nature of Facebook networks, it is fair to assume that this message will spread exponentially leading to very high infection rates.

According to Corrons: “Users of social networks like this normally trust the messages they receive, so the number of reads and clicks is often very high. Clearly, in addition to the security measures of the social network itself, users have to take on board certain security and personal privacy basics, to avoid falling victim to fraud and contributing to its propagation”.

To prevent this type of fraud, PandaLabs offers the following advice:

1) Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, and through other social networks and even via email.

2) If you do click on any such link, check the target page carefully (in this example, it is clearly a fraud). If you don’t recognize it, close your browser.

3) Even if you don’t see anything strange in the target page, but you are asked to download something, don’t accept.

4) If, however, you have still gone ahead and downloaded and installed some type of executable file, and your computer begins to launch messages saying that you are infected and that you should buy an antivirus, this is very probably a fraud. Never entered your credit card details, as you will be putting your money at direct risk. And above all, make sure you get a second opinion on the security of your system, with any reliable free online security solution such as  Panda ActiveScan.

5) As a general rule, make sure your computer is well protected, to ensure that you are not exposed to the risk of infection from any malicious code. You can protect yourself with the new, free Panda Cloud Antivirus solution (www.cloudantivirus.com).