The past days brought a new wave of malware attacks via Facebook to German speaking users. Many users received a message via Facebook’s chat functionality that looked something like this:
The shortened URLs varied, but the outcome has been the same: Clicking the link downloaded an executable file that disguises as .jpg file! In case the downloading user does not display file name extensions on his/her computer, the file icon looks like this and one would believe it to be a regular .jpg:
With file name extensions enabled, the same file looks like this:
This would at least give an informed user a chance to notice that something is wrong, because the displayed icon does not correspond to the file name extension. But what happens to the average user?
Obviously, the user now wants to see the picture he has just downloaded and that has been promised as funny snapshot. This is the moment of infection: Clicking this picture/executable launches the downloader that downloads malware to the user’s computer who is now a victim.
The downloaded file, the malware, is stored in the Windows %TEMP% folder and executed. But, the victim takes no notice of the malicious activities. Instead, to trick the user a second time, the malware even displays a fake alert to remain credible and “explain” why the user actually does not see a picture:
So, the victim now thinks that the picture is faulty and most probably just throws it to the digital recycle bin and unknowingly covers all tracks available, while the secretly installed malware is already working in the background. The intial file, the downloader, is detected by G Data as Trojan.Generic.KD.315917.
Unfortunately, we were not able to get hold of a downloaded malware executable, because the hosting domains where cleaned up already. The hackers used various compromised legitimate websites to host the files.
The downloaded malware can be virtually anything, from an online banking Trojan to keyloggers, spyware, backdoors. anything! And even if the methods to infect a computer by sending a downloader is nothing new, the impact in a social network with more than 750 million active users can be enormous. So, watch out and stay alert!
***************************** UPDATE *****************************
At the time of writing this blog entry, we discovered another variety of this particular attack! This time, we can see English messages: “hey is this your ex?? lol [LINK]” and “omg you look so cute [LINK]”. The URL is not shortened this time but the idea behind is the same.
The downloaded picture/executable is the downloader and as soon as executed, it downloads the malware to the victim’s computer – and this time, we had a chance to receive the files!
The G Data products detect the initial downloader as Trojan.Generic.KD.320472.
This file opens a connection to an IRC channel and receives URLs to download two more files – One is called GoogleTool.exe (Trojan.Generic.KDV.320671) and the second one is called killproc.exe. Both files are currently hosted on Rapidshare.
The GoogleTool.exe gets itself a file called url.txt which contains the most recent URLs with new “pictures”. Furthermore, it hooks itself into the Internet Explorer to grab the user’s Facebook buddy list and uses this buddy list to spread further chat messages. And this is where it comes full circle!
In this case, the damage is limited to a propagation of further fake pictures, but the attackers can exchange the downloaded malware at any time! Next time, the malware might not only hook into the IE to get your buddy list, but to grab your online banking credentials!
So, it is vitally important that you stay alert and avoid clicking the links in oh-so-cool messages!
How you can protect yourself:
- Do not click on links or download files if you received a message from a foreigner. The websites and files might harm your PC. Even if the message comes from a friend, but looks different from usual messages, you better ask him and reassure yourself that he willingly sent you this message.
- Use the URL shortening services’ preview functions to see where the link really leads you to!
In case of bit.ly you only need to add a “+” at the end of the shortened link, copied to the browser’s address bar, e.g. bit.ly/shortcode can be previewed like this bit.ly/shortcode+
You can also use a web service like LongURL which automatically covers various preview functions and you don’t have to remember the rules for each and every service.
- Enable the display of file name extensions in your operating system. You can find the “how to” on the respective Microsoft websites:
How to enable file name extensions in Windows XP (see: More information)
How to enable file name extensions in Windows Vista
How to enable file name extensions in Windows 7
- The operating system and all other software on your system should constantly be up-dated. Software updates for any program must be installed as soon as they become available to close any known vulnerability in the system.
- Users are advised to use a comprehensive security solution which constantly monitors all internet traffic and includes an effective spam filter. This offers the most effective protection from drive-by-downloads and spam emails.
Leave a reply