NEWS FROM THE LAB - Wednesday, June 1, 2011

Facebook Attack Spreading both Windows AND Mac malware Posted by Sean @ 09:17 GMT

There's a significant Facebook malware attack occurring at the moment.

The attack is spreading virally using Facebook's "Like" feature — a method well established by rogue Cost Per Action (CPA) marketing affiliates. But unlike CPA spam that redirects to deceptive ads, this "viral video" is linking to a Lithuanian server that serves up Windows and/or Mac malware.

This is the first time we've seen malware using "viral links". (Stuff such as Koobface uses phishing and compromised accounts.)

The bait uses the following subject lines:

"oh shit, one more really freaky video O_O" and...
"IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!"

The links used point to a subdomain on "newtubes.in".

An Openbook search shows numerous examples of folks that have been exposed.

Here's an example of Facebook's search results:

Facebook search, oh shit, one more really freaky video O_O

When testing the link from Germany, Finland, France, India and Malaysia, we were safely redirected to youtube.com. Testing from the USA and UK offered up Mac scareware or Windows malware depending on our browser user agent IDs.

The attack is GEO-IP as well as OS aware.

And though this attack started more 16 hours ago, Facebook does not yet block links to newtubes.in even though the subject text and the root domain has remained unchanged during that time. This could be due to the fact the attack is utilizing Facebook "Likes" rather than posting links to user's Walls which can be more easily filtered by Facebook's security team.

Or perhaps they're still catching up on their post-Memorial Day holiday e-mail…

Updated to add:

At 17:00 GMT the attack changed subject line to:

one more stolen home porn video ;) Rihanna and Hayden Panettiere and…
Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna! Hot Lesbian Video - Rihanna And Hayden Panettiere !!

At 19:12 GMT the domain used switched from newtubes.in to shockings.in.

Correction to above: The malware is using the Facebook "Likes" thumbs-up icon, but appears to be spreading via another method. Additional analysis suggests that the malware itself may be injecting a post into the victim's Facebook session.

Try as we might, our test account was not compromised by the attack server's webpage. We are now speculating that the Windows malware is a Koobface like worm with ZeuS like webinject capabilities. Our analysis continues.