We received reports from our colleagues in Hong
Kong yesterday about more malware being
distributed on Facebook.
If you're a Facebook user, you may
get a message such as this, supposedly from a
"friend". Since the message was sent by a friend,
the likelihood that you would click on the link is
much higher. Upon clicking the link, you would be
redirected to a hi5.com site that looks something
like the one below.
Not surprisingly, the website will
tell you that you need to update your Adobe Flash
Player by downloading a file. Of course, no matter
how many times you try, you don't get to see the
video. You do get infected though.
When we investigated this yesterday,
the links were down and obtaining a sample for
analysis was not possible at that point in time.
Thanks to Lordian however - who tried again after
being woken up by his neighbors late last night
— we succeeded in obtaining a sample, which
is detected as Net-Worm.Win32.Koobface.bp.
Depending on the user agent,
Net-Worm.Win32.Koobface.bm
might also be served up.
Incidentally,
if you are using any platform other than Windows,
you just get redirected to the real
YouTube.
It looks as if Facebook is
increasingly becoming a popular target for all
sorts of attacks. You can read through the
numerous topics on this issue at the
Facebook Public Discussion Board. Do note that some of the discussion topics
include live links though, so be careful what you
click.
On a related note, we've noticed
that there is a Facebook phish, live at
http://www.faceiibook.com
and registered in China.
Another team
effort by the Response Team — Lordian, Jojo
& Fei
