It just isn't possible to infect the users directly through facebook, unless the hacker has gained access to facebook itself and added content (such as flash, or java) that connects remotely to a malicious website.
But if this was the case, facebook would have fixed it already or closed down for maintenance to avoid any further infections.
But this isn't the case, these spam bots are simply just sending emails and messages out to facebook users telling them that they've won a prize or that they need to update their flash driver, the link they provide redirects to the malicious website which further tells them they need to download or accept a java security certificate in order to continue and after doing this the user is infected.
The reason these types of viruses are so wide-spread, is because they target the naive internet users who are more likely to follow a link that tells them that they've got a virus, and need to follow the link provided to fix it.
Then after infecting a users computer, it sends messages to all their friends and emails containing the same virus; getting an email from someone you know means you're more likely to click on the link, spreading the virus even more.
It's a vicious cycle, but your actions are the only thing that can get you infected.