Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar… it should be, as this tactic was previously discussed here in the Malware Blog back in March.

    The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

    Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

    http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”

    As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised—the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http://www.facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

    If users do go on to visit the malicious site, this is what they see:

    Click for larger view

    This malicious site is actually hosted on multiple IP addresses (from Facebook, users go to a redirection script that point them to different IP addresses. They all have a common payload though—a new KOOBFACE variant detected as WORM_KOOBFACE.IC. (The script that redirects users to the various KOOBFACE hosting pages is detected as JS_REDIR.EB.)

    Like many previous KOOBFACE variants, this is used to download malware onto the user’s system. At least one of these—TROJ_JORIK.D—installs what appears to be a webserver, possibly restarting the KOOBFACE infection chain.

    Trend Micro™ product users should not worry, however, as Smart Protection Network™ protects them from this attack by blocking access to the malicious sites through Web reputation service and by preventing the download of the related malicious files through file reputation service.

    Credit to Rik Ferguson of Countermeasures for finding this Facebook message.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice