Short version: yes you can get a virus from any website, including youtube and facebook.
Detailed version:
There are a huge number of ways in which you can get infected with malware (a virus is a specific type of malware, see
https://en.wikipedia.org/wiki/Malware for more details on this).
To maintain anything resembling a short (but still worth getting a drink now...) answer to this question, I'll stick to the ones that affects most people - not necessarily the most sophisticated.
Drive-by-downloads
Specifically to answer the scenario posed in the question, facebook/youtube are themselves rarely compromised. However, they do show a lot of advertisements (since that's how they earn revenue) and these ads are by nature dynamic. This leads to issues where the advert can link to a malicious website, or even dynamically download javascript to your browser which can then run whatever code it chooses to either exploit your machine directly or download malware.
There is a lot more which could be said here, but I think the most important one for most people to understand is email security, therefore see below for details on how this is the most common vector for malware infection.
Phishing email
The number one infection mechanism is still via phishing email campaigns. Phishing is a malicious form of spam. There are lots of different types of spam which range from simple advertising 'annoying' spam, to heavily targeted spear-phishing email.(
https://en.wikipedia.org/wiki/Phishing)
These emails typically contain one or more of the following active malicious elements:
a) attachments
b) URLs (hyperlinks)
c) embedded javascript and images
a) Attachments are fairly self-explanatory, however a common misconception is that they are only malicious if their file-extension is .exe - THIS IS NOT TRUE. The most common form of malicious attachments are .pdf, .doc, .xls, .zip and .rar
The first three are document formats which, when opened, rely on exploiting a vulnerability within the associated software package (typically Microsoft Office or Adobe PDF Reader). Zip and Rar are archiving formats for compressing data such that it is more efficient to send large volumes of data over networks such as the internet.
Another
very common technique which all malware authors take advantage of is a default Windows setting: 'hide file extensions for known file types'. What this means is that because Windows knows what to do with a .exe file, it will transform a filename of 'cool-picture.jpg.exe' into 'cool-picture.jpg', making the user
think they're looking at a picture. The obvious giveaway with this is that Windows also knows what to do with a .jpg file, so if it were
really a .jpg then the filename would simply be 'cool-picture' (assuming this default is left on, see below for instructions on disabling this)
b) URLs, unlike attachments, can be used for two motives. As with attachments they can be used to directly install malware on your machine by sending you straight to a malicious or compromised website.
More commonly nowadays they are attempting to steal user credentials for other online services. It is important to remember that excluding intellectual property theft and government/political disruption, all malware is after money. Therefore, in this scenario it is a lot easier to send a million people an email appearing to be from Paypal (including the 'From:' field as this is configurable by the sender to say whatever they want) giving you some reason (they vary) as to why they need you to 'prove your account is active' and thus provide your credentials. To some people, who don't have paypal, this is obvious spam. But phishing emails of this sort range from obvious forgeries (bad grammar, spelling etc, no customer identifiable information e.g. name/account number) to very advanced and accurate imposters, using logos, signatures and real templates they've obtained from the target company (Paypal) to convince as many people to click the link and provide their details as possible.
c) embedded javascript and images can also be used to target your personal information and/or install malware on your machine. As with URLs, images can be links to other websites (it's important to remember that the text displayed by the link does not have to match what the link points to - if you hover over it WITHOUT clicking it, then the status bar at the bottom of your browser will show you what it really points to) or, more dangerously, automatically load remote content from another website in your email. This content doesn't have to be a picture at all and could be a direct download link for a piece of malware or even just a 'check-in' address to identify all users who've opened the spam email at all and not just deleted it. They can then use this information to perform more targeted attacks aimed at gathering additional information as required. Embedded javascript is able to do any of these scenarios directly, without the need to have the user render an image or click a link - but more email clients (e.g. Outlook, Thunderbird) mark email containing javascript natively as suspicious, therefore as always there is a trade-off for the spam author between using the most direct route to exploitation vs. probability of being detected.
Mitigation -
If you read nothing else in this post, read this bit!
1) Don't click links in emails
2) Don't click attachments in emails
3) Disable images in emails, either from untrusted senders or completely
4) Disable 'hide file extensions for known file types' (in XP, other guides are available via google) by following these steps
If you are not expecting attachments/urls/images but you know the sender, ask them through another channel whether they sent it to you and what it's for. If their email has been compromised then it may have genuinely come from their account, but it wasn't them which did it - that way you help them know they're infected too!
Hopefully that will help more people understand how the bad guys work and therefore help them protect themselves. Safe-surfing to all!
Michael,