<<<
NEWS FROM THE LAB - Friday, May 21, 2010
>>>
 

 
Warning on Facebook worm "FBHOLE" Posted by Mikko @ 12:49 GMT

There's a new Facebook worm out there. However, it doesn't seem to be doing anything else than posting a message to people's Facebook walls.

try not to laugh

The message that the worm posts is
"try not to laugh xD http://www.fbhole. com/omg/allow.php?s=a&r=[random number]"

If you follow the link, you end up on a page that looks like this:

fbhole.com

The page shows a fake error message. If you click anywhere on the page, you will trigger a script that will try to post the same message to your Facebook wall. This is done with an invisible iframe that follows your mouse around — causing you to click on an invisible "publish" button. In addition to the wall message post, nothing else happens.

fbhole.com

The worm is spreading like wildfire. To get some idea, try this public search via youropenbook.org.

We have blocked domain fbhole.com so that F-Secure Internet Security users cannot access it. The domain was registered yesterday and it points to an IP address in Czech Republic, shared by another Czech site called ironbrain.net.

Updated to add: Domain fbhole.com shared an IP address with ironbrain.net [82.208.32.99]. Ironbrain.net hosted a website with references to Facebook but no obvious illegal content. While fbhole.com was registered with privacy protection, ironbrain.net had contact information in the WHOIS database, complete with a Czech phone number.

So I called the number.

The call went roughly like this:

– Hello?
– Hi. This is Mikko Hypponen from F-Secure Labs.
– What is this about?
– I'm looking for a person related to ironbrain.net.
– ???
– We're investigating a Facebook worm on fbhole.com. That domain shares an IP address with ironbrain.net which is registered under your name.
– And you are?
– I'm from an antivirus company. Are you related to ironbrain.net?
– I'll have to check… maybe my company is…
– Please do.
– Bye…
[Click]

About 15 seconds later, both fbhole.com and ironbrain.net went offline. The attack is over.

Updated to add: Here's a short Flash screen-capture showing Facebook Search results for "try not to laugh" during the attack.