On several occasions, after logging into Facebook, I was presented with some unusual popups. Where do they come from? What is it trying to do?
Section 1: My Arguments At-A-Glance
I suspect an ad on Facebook may be spreading a virus because of these events (in chronological order):
- When I log in, I get a dialog box saying “Sorry, your browser is not WIN32 compatible.” This occurs on one specific ad. (Show me)
- The system would work a bit harder than usual. It was found that the JVM (Java Virtual Machine) has started.
- A pop-up would attempt to open. That was blocked by Firefox’s pop-up blocker. Additionally, I was prompted to save a .wmf file. I saved it for further inspection.(Show me)
- Overriding the pop-up blocker would result in a pop-up. Upon inspection of the source, it opens another window.
- Upon inspection of the new window, it tries to run a Java program. I inspected the source of that page and also downloaded the .jar file it tried to run.
- I took the two files to Kaspersky and avast!. They both confirmed the existence of a virus in both the files.
Section 2: Confirmations
Over the course of the weekend, an article came up on Digg about the same thing happening on MySpace (reference).
Section 3: Conclusion
Because of the random displaying of advertisements, it is fairly unlikely to obtain these two computer viruses. The following actions will further decrease a user’s chances of obtaining these viruses:
- Keeping Windows updated with the latest security patches. The WMF exploit was discovered in December and patched around February.
- Having a pop-up blocker. Internet Explorer has one built in, but having Google Toolbar is a good extra layer of protection.
- Using an alternative browser such as Mozilla Firefox.
- Using Sun Microsystem’s Java Virtual Machine to run Java code instead of Microsoft’s Java Virtual Machine.
- Using a non-Windows operating system.
