Previous 1 2 3 Next 37 Replies Latest reply: Apr 30, 2012 4:03 AM by softwater
mvaug10087 Level 1 Level 1 (15 points)

I have just requested a download of all my Facebook information from Facebook. The download contains a Trojan OSX/FkCodec-A which was detected by my Sophos AV as athreat. Has anybody else encountered this?The trojan was not on my Mac before as the AV only detected it when I downloaded the file from Facebook. Is it a real threat?


iMac, Mac OS X (10.7.2)
  • Klaus1 Level 8 Level 8 (46,960 points)

    Yes, lots of downloads from facebook and other 'social sites' contain malware.

     

    You will find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

     

    https://discussions.apple.com/docs/DOC-2435

     

     

    The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them, including how to prevent, detect and/or remove the Flashback Trojan.

  • mvaug10087 Level 1 Level 1 (15 points)

    interesting post but my concern is that this download was a built in Facebook function not a third party download or app. the download function is new and available here (if you have a FB account):

    https://www.facebook.com/settings

  • Klaus1 Level 8 Level 8 (46,960 points)

    Like I said, I would not trust any download from Facebook. They have ben hacked many times.

  • thomas_r. Level 7 Level 7 (30,540 points)

    This is the first that I have ever heard of such malware, but I do find it on Sophos' site:

     

    http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OS X~FkCodec-A/detailed-analysis.aspx

     

    They don't say much about it, though...  just:

     

    OSX/FkCodec-A is a fake installer that claims to be installing codec.

     

    Looks like it was just added to their definitions yesterday, so it must be so new that nobody has written anything up about it yet.  I would try to contact Facebook about that.  I've just started the process of downloading my own Facebook information, and will report back here with what I find when it arrives.

  • softwater Level 5 Level 5 (5,370 points)

    I downloaded my Fb info on 14 April. Just scanned it a moment ago with ClamXav (latest release & today's definitions) and found nothing.

  • mvaug10087 Level 1 Level 1 (15 points)

    I have sophos AV and I saw the info on the Sophos website. the alert apeared as soon as I downloaded the .dmg from Facebook. The Facebook information download facilty is also very new and has been getting a lot of attention in the media on this side of the Atlantic. With the, how can I put it, somewhat 'relaxed' approach to security prevalent in the MAC community, this could be a significant problem. i would love to report it to Facebook but I can't find a suitable link to use on their security page.

  • softwater Level 5 Level 5 (5,370 points)

    I think that's where the scam is coming in, right there. The download isn't a .dmg as far as I recall.

     

    I'm just doing it again to be certain. When you click on the 'start my archive' button you should get a msg saying you'll receive an email when the archive is ready. However, as I remember, when you get the email, you click on the link and it takes you back to the same page. When you click on the button this time it just downloads the files to your default folder location.

     

    I think the first thing I'd look at is the url of the facebook site you're visiting. Are you sure its the genuine one? What's the URL?

  • thomas_r. Level 7 Level 7 (30,540 points)

    Okay, I just got my Facebook data (what little there is of it...  I'm not a big Facebook user), and there's nothing in it recognized by Sophos as malware.  So it's definitely not something that everyone will find in their Facebook data.

     

    Where in your Facebook data was the file?  And would you be willing to e-mail the file Sophos identified to me, so I can do some tests?  You can find my e-mail address on the "contact me" link at the bottom of my Mac Malware Guide.  (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

     

    Edit: to e-mail it without getting flagged as sending malware, open the Terminal and paste in the following command:

     

    zip -e ~/Desktop/fkcodec.zip 

     

    Make sure there's a space at the end, and then drop the file identified by Sophos onto the Terminal window.  Hit return, and enter "infected" as the password.  Take the resulting fkcodec.zip file, which will show up on the desktop, and e-mail that to me.

  • softwater Level 5 Level 5 (5,370 points)

    @Thomas

     

    Didi yours come in the form of a .dmg?

  • thomas_r. Level 7 Level 7 (30,540 points)

    Didi yours come in the form of a .dmg?

     

    Nope, mine came as a .zip file containing a folder with files "README.txt" and "index.html" and folders "html" and "photos".

  • mvaug10087 Level 1 Level 1 (15 points)

    I have just repeated the whole thing with no issues at all. I have a horrible feeling that it was completely coincidental Sophos AV activity at the same time as I was trying to open the Facebook archive .zip (@softwater you were correct it was not a .dmg).

    Retires red-faced to corner.......

  • softwater Level 5 Level 5 (5,370 points)

    Better safe than sorry...

  • thomas_r. Level 7 Level 7 (30,540 points)

    Well, if Sophos identified it, it had to have identified something.  It's always possible it triggered on a false positive, but possibly not.  I certainly wouldn't fool around since this was just added yesterday, meaning it's probably been discovered very recently.

     

    Is it still in your Sophos quarantine, or did you delete the file?  If it's still there, can you tell us what file was identified, and where?  (You can click an item in the quarantine and the full path to the file will appear at the bottom of the window, under Threat Details.)

     

    If it's still there, I can tell you more if you can find it and send it to me, according to the directions I posted earlier.

  • mvaug10087 Level 1 Level 1 (15 points)

    The file identified was download.dmg in the Downloads folder. Once I realised that it probably was not associated with Facebook download, I did a secure delete as the Sophos clean up threat did not seem to be doing anything. I can't remember the dates added or modified but I carried out a full scan on 9th April and it wasn't there then. Sorry this is not much help.

Previous 1 2 3 Next