Skip navigation

Facebook download contains Trojan

3666 Views 37 Replies Latest reply: Apr 30, 2012 4:03 AM by softwater RSS
1 2 3 Previous Next
mvaug10087 Level 1 Level 1 (15 points)
Currently Being Moderated
Apr 24, 2012 2:10 AM

I have just requested a download of all my Facebook information from Facebook. The download contains a Trojan OSX/FkCodec-A which was detected by my Sophos AV as athreat. Has anybody else encountered this?The trojan was not on my Mac before as the AV only detected it when I downloaded the file from Facebook. Is it a real threat?

iMac, Mac OS X (10.7.2)
  • Klaus1 Level 8 Level 8 (43,355 points)
    Currently Being Moderated
    Apr 24, 2012 2:25 AM (in response to mvaug10087)

    Yes, lots of downloads from facebook and other 'social sites' contain malware.

     

    You will find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

     

    https://discussions.apple.com/docs/DOC-2435

     

     

    The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them, including how to prevent, detect and/or remove the Flashback Trojan.

  • Klaus1 Level 8 Level 8 (43,355 points)
    Currently Being Moderated
    Apr 24, 2012 3:01 AM (in response to mvaug10087)

    Like I said, I would not trust any download from Facebook. They have ben hacked many times.

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 24, 2012 5:56 AM (in response to mvaug10087)

    This is the first that I have ever heard of such malware, but I do find it on Sophos' site:

     

    http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OS X~FkCodec-A/detailed-analysis.aspx

     

    They don't say much about it, though...  just:

     

    OSX/FkCodec-A is a fake installer that claims to be installing codec.

     

    Looks like it was just added to their definitions yesterday, so it must be so new that nobody has written anything up about it yet.  I would try to contact Facebook about that.  I've just started the process of downloading my own Facebook information, and will report back here with what I find when it arrives.

  • softwater Level 5 Level 5 (5,370 points)
    Currently Being Moderated
    Apr 24, 2012 6:31 AM (in response to mvaug10087)

    I downloaded my Fb info on 14 April. Just scanned it a moment ago with ClamXav (latest release & today's definitions) and found nothing.

  • softwater Level 5 Level 5 (5,370 points)
    Currently Being Moderated
    Apr 24, 2012 6:42 AM (in response to mvaug10087)

    I think that's where the scam is coming in, right there. The download isn't a .dmg as far as I recall.

     

    I'm just doing it again to be certain. When you click on the 'start my archive' button you should get a msg saying you'll receive an email when the archive is ready. However, as I remember, when you get the email, you click on the link and it takes you back to the same page. When you click on the button this time it just downloads the files to your default folder location.

     

    I think the first thing I'd look at is the url of the facebook site you're visiting. Are you sure its the genuine one? What's the URL?

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 24, 2012 7:19 AM (in response to thomas_r.)

    Okay, I just got my Facebook data (what little there is of it...  I'm not a big Facebook user), and there's nothing in it recognized by Sophos as malware.  So it's definitely not something that everyone will find in their Facebook data.

     

    Where in your Facebook data was the file?  And would you be willing to e-mail the file Sophos identified to me, so I can do some tests?  You can find my e-mail address on the "contact me" link at the bottom of my Mac Malware Guide.  (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

     

    Edit: to e-mail it without getting flagged as sending malware, open the Terminal and paste in the following command:

     

    zip -e ~/Desktop/fkcodec.zip 

     

    Make sure there's a space at the end, and then drop the file identified by Sophos onto the Terminal window.  Hit return, and enter "infected" as the password.  Take the resulting fkcodec.zip file, which will show up on the desktop, and e-mail that to me.

  • softwater Level 5 Level 5 (5,370 points)
    Currently Being Moderated
    Apr 24, 2012 7:16 AM (in response to thomas_r.)

    @Thomas

     

    Didi yours come in the form of a .dmg?

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 24, 2012 7:20 AM (in response to softwater)

    Didi yours come in the form of a .dmg?

     

    Nope, mine came as a .zip file containing a folder with files "README.txt" and "index.html" and folders "html" and "photos".

  • softwater Level 5 Level 5 (5,370 points)
    Currently Being Moderated
    Apr 24, 2012 7:27 AM (in response to mvaug10087)

    Better safe than sorry...

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 24, 2012 9:29 AM (in response to mvaug10087)

    Well, if Sophos identified it, it had to have identified something.  It's always possible it triggered on a false positive, but possibly not.  I certainly wouldn't fool around since this was just added yesterday, meaning it's probably been discovered very recently.

     

    Is it still in your Sophos quarantine, or did you delete the file?  If it's still there, can you tell us what file was identified, and where?  (You can click an item in the quarantine and the full path to the file will appear at the bottom of the window, under Threat Details.)

     

    If it's still there, I can tell you more if you can find it and send it to me, according to the directions I posted earlier.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.