Facebook Warning!

Most Facebook users will be familiar with their web based message inbox. From an end user perspective, it looks similar to e-mail in many ways. However, it can only receive messages from approved friends. Well now it has another similarity with e-mail as it's being used in an attempt to distribute a Trojan.

According to Marc Saltzman's blog post, a message arrives in the message inbox from an approved Facebook friend with the message "LOL, You've been catched on hidden cam, yo.". Marc states:

Following this messages is a long URL (website address) that, when clicked, takes you to what appears to be a YouTube video. This is not YouTube. When you click the video to begin, a message pops up and says you first need to download a newer Flash player to play the video. Do not do this. It's a virus.

Symantec detect the downloaded file as the Infostealer.Gampass Trojan. The virus itself isn't anything new or out of the ordinary. However, the delivery mechanism of using the Facebook Message Inbox is a clever Social Engineering technique that could result in a large number of infections.

So the question is, how did the messages appear to come from approved friends? As I was writing this blog post, I found this news article with a warning from Kaspersky:

When owners of the infected machines next log onto the social networks, their machine automatically sends the malicious messages out to new victims grabbed from the friend list, said Ryan Naraine, security evangelist at Kaspersky.

If you receive this message from a friend be sure to delete it and notify your friend that they have been infected by a virus.

Google Caches Virus Popup

This evening I was looking at some of the spam found in my Gmail Spam folder. I started using Google Search to see if I could correlate some websites related to the spam. I did find some interesting things, such as the bad English "recorded for security purpose", found on one spam-related website, is copied across several spam-related sites. I was looking for some casual correlation to hopefully find some bad IP addresses not found in one of the top RBL sites, such as Spamhaus. Alas, Spamhaus had me beat. It knew them all.

But then I found something rather interesting. I came across a website with a pop-up, trying to get me to download a Windows executable file.



In order for this to work I'd have to click on the fake dialogue button "Continue". Then a real dialogue with an option for "Save As" appears, I download it, open it, and enjoy using my new virus. Okay, so nothing new and exciting there. It's a pretty simple website trying to con me into running their malicious code.

Now I was curious how many duplicate pages out there had the same pop-up, so I did a search for the text "You need to download new version of Video ActiveX Object to play this video file.".

I clicked on the first result.



But the page was gone.



I was really looking forward to that virus pop-up. Never mind, maybe Google Cache can help me out.





Excellent! The spammer took down the webpage linking to their exploit code, but luckily Google Cache was able to save a copy of the page, which popped-up the "Save As" dialogue, so I can now download it and enjoying start using my new virus, as it silently rips through my machine, stealing my personal data and emailing spam around world.

I uploaded this file to the Kaspersky Virus Scanner and it was identified as being "infected by Trojan-Downloader.Win32.Zlob.eob".

Oh no, I just realized. This exploit is not platform independent and will not run on my machine. It only runs on Windows and I'm using Ubuntu Linux. I guess I'll have to keep googling...