Full Disclosure mailing list archives

By Date By Thread Facebook Malware that infected more than 110K and still on the rise From: Mohammad Reza Faghani <faghani () faghani info>

Date: Thu, 29 Jan 2015 17:22:43 -0500

A new trojan is propagating through Facebook which was able to infect more than 110,000 users only in only two days. *Propagation*: The trojan tags the infected user's friends in an enticing post. Upon opening the post, the user will get a preview of a porn video which eventually stops and asks for downloading a (fake) flash player to continue the preview. The fake flash player is the downloader of the actual malware. *Background*: We have been monitoring this malware for the last two days where it could infect more than 110K users only in two days and it is still on the rise. This malware keeps its profile low by only tagging less than 20 user in each round of post. This trojan is different from the previous trojans in online social network in some techniques. For instance, the previous trojans sent messages (on behalf of the victim) to a number of the victim's friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial victim's friends. In the new technique, which we call it "Magnet", the malware gets more visibility to the potential victims as it tags the friends of the victim in a the malicious post. In this case, the tag may be seen by friends of the victim's friends as well, which leads to a larger number of potential victims. This will speed up the malware propagation. *Things to know:* The details of this analysis will be posted here later. However for an interim solution, this information might come in handy: The MD5 of the executable file (fake flash player): cdcc132fad2e819e7ab94e5e564e8968 The SHA1 of the executable file (fake flash player) : b836facdde6c866db5ad3f582c86a7f99db09784 The fake flash file drops the following executables as it runs: chromium.exe, wget.exe, arsiv.exe, verclsid.exe. The malware is able to hijack keyboard and mouse movement (at initial investigation) Existence of the chromium.exe in the Windows processes, is an Indication of Compromise (IoC). The malware tries to connect to the following network upon execution: www.filmver.com and www.pornokan.com Kind Regards Mohammad R. Faghani _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Facebook Malware that infected more than 110K and still on the rise Mohammad Reza Faghani (Jan 29)