The Latest in IT Security

Fake mobile Facebook site blocks AntiVirus products


A link that was blacklisted today on got my attention:

The Registrant’s address is even deceiving as it seems to match the “.uk” domain:

5 East Street
CO11 5YX
United Kingdom

In fact, browsing to that link redirects you to:

which is the official mobile URL for Facebook’s site.

So, is this link just another redirection for UK users? Well, let’s check out where this domain is hosted.

Its IP address is:; location: Russia. Hmm, interesting wouldn’t you say? ;-)

And the hosting company is the well known WEBALTA-AS OAO.

It turns out there is malware on this site: – VirusTotal (2/44 detections).

Upon running it queries to determine what your IP address and country are. Then it goes on to download a long list of antivirus URLs (1310 entries) that includes download sites for virus definitions and Windows updates as well. Finally, it downloads its main component again (possibly to get the latest build??)

The piece of malware puts itself under the Application Data folder by first creating a user-level rootkit and then hiding itself:

As mentioned above part of the payload is to block access to a large list of security products, including Microsoft Security Essentials:

All is not lost! For some reason the free rootkit removal tool GMER is not being blocked. If you do a full scan, it will find that file hiding in the %appdata% folder and you can right-clik on the entry and chose “delete”.

When done, restart your computer and download the antivirus of your choice :-)

Jerome Segura

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments