[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKS4ivXegQDJj52TDLde9OU=esnrvuOi+H49vFS+y24O7Uh8UA@mail.gmail.com>
Date: Thu, 29 Jan 2015 17:22:43 -0500
From: Mohammad Reza Faghani <faghani@...hani.info>
To: fulldisclosure@...lists.org
Subject: [FD] Facebook Malware that infected more than 110K and still on the
rise
A new trojan is propagating through Facebook which was able to infect more
than 110,000 users only in only two days.
*Propagation*:
The trojan tags the infected user's friends in an enticing post. Upon
opening the post, the user will get a preview of a porn video which
eventually stops and asks for downloading a (fake) flash player to continue
the preview. The fake flash player is the downloader of the actual malware.
*Background*:
We have been monitoring this malware for the last two days where it could
infect more than 110K users only in two days and it is still on the rise.
This malware keeps its profile low by only tagging less than 20 user in
each round of post.
This trojan is different from the previous trojans in online social network
in some techniques. For instance, the previous trojans sent messages (on
behalf of the victim) to a number of the victim's friends. Upon infection
of those friends, the malware could go one step further and infect the
friends of the initial victim's friends.
In the new technique, which we call it "Magnet", the malware gets more
visibility to the potential victims as it tags the friends of the victim in
a the malicious post. In this case, the tag may be seen by friends of the
victim's friends as well, which leads to a larger number of potential
victims. This will speed up the malware propagation.
*Things to know:*
The details of this analysis will be posted here later. However for an
interim solution, this information might come in handy:
The MD5 of the executable file (fake flash player):
cdcc132fad2e819e7ab94e5e564e8968
The SHA1 of the executable file (fake flash player)
: b836facdde6c866db5ad3f582c86a7f99db09784
The fake flash file drops the following executables as it runs:
chromium.exe, wget.exe, arsiv.exe, verclsid.exe.
The malware is able to hijack keyboard and mouse movement (at initial
investigation)
Existence of the chromium.exe in the Windows processes, is an Indication of
Compromise (IoC). The malware tries to connect to the following network
upon execution:
www.filmver.com and www.pornokan.com
Kind Regards
Mohammad R. Faghani
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists