A Facebook app page has been doing the rounds on Twitter recently, with Direct Messages being sent to other Twitter users bearing the message “lol ur famous now” and a link to the app page. The link included the word “FailVids”, and if there’s one thing likely to make a panicked user click on things it’s the suggestion they’re fail-vidding all over the place.
Clicking the link would bring end-users to the following app page:
Click to Enlarge
“Twitter Video: You must be logged into Twitter to use this app”.
Uh oh.
As you can probably imagine, entering your login details here would not log the end-user into Twitter, but rather provide the people behind the scam with the ability to send more fake “oh dear, what have you been up to” style messages via Twitter DMs (this kind of linkbait is fairly common on Twitter but here’s a few that have been bouncing around since the start of September).
After hitting the Sign In button and handing away their login credentials, the end-user would then be taken to the following website, woot(dot)tweetelf(dot)info:
Click to Enlarge
It displayed a fake YouTube video set against a fake Facebook background (there’s a theme developing here) and contained the following text:
“An update for YouTube player is required, update needed to view media.
The Flash Player 10.1 update includes
*Smoother video with hardware acceleration support
* Enhanced performance and memory management
* Support for multi-touch and gesture enabled content
* Private browsing support and security enhancements”
Chrome wasn’t keen on the attempted download:
Anybody pressing on with the download would find themselves with an imitation Flash Player in their Downloads Folder:
Click to Enlarge
The file is nothing to do with Flash Players and everything to do with the Umbra Loader, the ever popular Botnet building tool (last seen on this blog in a 123 greetings card scam). Here’s some of the digital traits the file possesses, courtesy of our GFI SandBox:
Click to Enlarge
As you can see it checks for debuggers – can’t have people poking around in a malicious file now, can we? It also creates hidden files, starts executables in folders it shouldn’t be and before you know it, there are shenanigans afoot in the form of an Umbra Loader Bot Panel:
Click to Enlarge
We reported the “Twitter Video” app page to Facebook and they took it down very quickly. As far as the fake Flash Player file goes, we detect it as Trojan.Win32.Generic!BT and you should only ever download Flash Player from official sources. Dubious Twitter DMs aren’t going to go away anytime soon, and end-users should be cautious when sent messages regarding newly acquired fame – winding up in an Umbra Botnet is a form of celebrity one can do without…
Christopher Boyd (Thanks to Bo for additional information)
Leave a reply
