Saturday, 30 August 2008

Malware spreading via Facebook messsages

This is a wrinkle that I have not seen before

The message that I saw was in this form:

Title = Somebody upload a ivdeo with youo n utube. you should see.

"OMG!!! :
hXXp://images.google.com/url?q=http://tinyurl.com/55dk2y" (LINK INTENTIONALLY BROKEN BY Mark Long)

The host in this case is a hacked travel agent in Canada. It is likely given the normal operationing practices of botmasters that there will be multiple websites hacked to host and redirect, typically via a shared vulnerability.

I would strongly advise great caution in following links of this form - they are using google as a redirect.

If you follow the link, you will see what looks like (but is not) a YouTube page and an instruction to "click here to upgrade your flash player". Of course, it downloads a fairly generic bot at this point. I have not yet had the chance to reverse engineer it to see what it does.

Having spoken to the person who sent the link, it seems that they are using social engineering rather than automating Facebook to send the links.

Hope that this helps someone

Mark Long, Digital Looking Glass

1 comment:

Unknown said...

Yeah, I don't have Facebook but I tend to get tonnes of rubbish like that on bebo. I guess it must be going around all of the social networks 'cause a lot of them have subscribers who aren't very computer literate, to say the least.