Facebook filth flood – Fawkes Virus to blame?

The newsfeeds of numerous Facebook users have become flooded with filth – specifically violent and pornographic images – as the result of an attack against the social network over the last day or so.

Objectionable content such as photoshopped images of celebrities such as Justin Bieber in sexual situations, violent pictures and depictions of an abused dog have appeared on the social network. Victims confronted by these images have taken to Twitter to vent express their outrage, as is the local custom.

Net security firm Sophos was among the first to warn of the apparent outbreak, following first-hand reports of the outrage by readers of its Naked Security blog. The mechanism behind the spread of the offensive content remains unclear, although some form of clickjacking attack is one obvious contender.

The motives behind that attack – much less its perps – also remain anybody's guess, though one obvious suspect has to be Anonymous. The shock content fits Anonymous' style, or at least its 4chan roots, and supposed members of the group have been threatening Facebook of late.

A supposed 5 November campaign against Facebook, disavowed by prominent members of Anonymous months ago, came to nothing. We were inclined to write off another threat that surfaced on Friday as probably another hoax (or damp squib) but perhaps we spoke too soon.

A purported member of Anonymous announced its intention to release a “highly sophisticated” worm onto Facebook last week. The so-called Fawkes Virus consists of a "highly sophisticated worm, with advanced network self-replication and remote abilities,” according to the message. It “sends out malicious links and gains access to your account”, something that might fit with the outbreak of filth reported by Sophos.

"If it’s not a hoax, it appears to have the characteristics of 2008's KoobFace, but unlike its predecessor it should also receive commands from a remote attacker and simulate 'basic actions on Facebook accounts, such as sending a friend request or a message'," Razvan Livintz, an analyst at Romanian anti-malware firm BitDefender wrote last Friday.

The supposed activist released a video discussing the malware, whose original creation date matched that of a Trojan, called Bifrose-AAJX, detected by Romanian anti-malware firm BitDefender since 8 July.

Last Friday (11 November), links to download Bifrose-AAJX appeared on Facebook under the guise of a scam purporting to offer a "New Facebook Video Chat with Voice Features". Users were encouraged to follow a link to download the software, actually a backdoor that logs keystrokes and gets up to all manner of other mischief.

Aside from the timing there's nothing much to link the Bifrose-AAJX scam with the Fawkes virus, as BitDefender acknowledges. "It doesn't have the self-replication component Anonymous said it should have. It does connect to a remote server in Egypt instead, which is something the video 'forgot' to mention," Bitdefender staffer George Lucian Petre wrote on Saturday.

So to summarise a somewhat confusing situation: objectionable content is appearing in users' news feeds on Facebook for reasons unknown. This may or may not be linked to a threatened malware-powered attack against the social network by someone purporting to represent Anonymous.

We're asking Facebook to comment on the situation and will update this story as and when we hear more. ®