NEWS FROM THE LAB - Wednesday, June 1, 2011

Facebook Finally Blocks Malware Attack Posted by Sean @ 22:06 GMT

With more than 24 hours having passed since it began, Facebook has finally blocked a malware attack that linked to Windows and Mac malware.

The attack site pushed MacGuard scareware at Mac users, and host modifying fake "Adobe Flash Players" at Windows users.

Contrary to our earlier post, rather than using the "Like" feature, we now think the malware was spreading by posting directly to Facebook accounts. The posted link used the Like feature's icon rather than icons used by Links or Videos.

Here's what Facebook search revealed a couple of hours ago:

Rihanna and Hayden Panettiere

And this is an example from a user's Wall:


The "LOL, just found new tube site" link didn't reference any .php as the others.

Here you can see the same site, newtubes.in, was used on Sunday:

Boobs Too Big

The subject was "Boobs Too Big For Seatbelt".

The bad guys attempted, and failed, to launch their attack during the Memorial Day holiday weekend, with big boobs.

As mentioned earlier today, the attack site was Geo-IP and OS aware, and focused only on USA/UK IP addresses. All others were safely redirect to youtube.com. It also employed anti-analysis evasion techniques, such as blocking IP address that visited too frequently. This was a highly professional attack using well developed techniques.

We hope that it cannot be repeated soon.