NEWS FROM THE LAB - Wednesday, October 15, 2008

Surge in Facebook Malware Posted by Response @ 02:59 GMT

We received reports from our colleagues in Hong Kong yesterday about more malware being distributed on Facebook.

Facebook message

If you're a Facebook user, you may get a message such as this, supposedly from a "friend". Since the message was sent by a friend, the likelihood that you would click on the link is much higher. Upon clicking the link, you would be redirected to a hi5.com site that looks something like the one below.

hi5.com message

Not surprisingly, the website will tell you that you need to update your Adobe Flash Player by downloading a file. Of course, no matter how many times you try, you don't get to see the video. You do get infected though.

YouTube message

When we investigated this yesterday, the links were down and obtaining a sample for analysis was not possible at that point in time. Thanks to Lordian however - who tried again after being woken up by his neighbors late last night — we succeeded in obtaining a sample, which is detected as Net-Worm.Win32.Koobface.bp. Depending on the user agent, Net-Worm.Win32.Koobface.bm might also be served up.

Incidentally, if you are using any platform other than Windows, you just get redirected to the real YouTube.

It looks as if Facebook is increasingly becoming a popular target for all sorts of attacks. You can read through the numerous topics on this issue at the Facebook Public Discussion Board. Do note that some of the discussion topics include live links though, so be careful what you click.

On a related note, we've noticed that there is a Facebook phish, live at http://www.faceiibook.com and registered in China.

Another team effort by the Response Team — Lordian, Jojo & Fei