19 August 2011

Wanna laugh? Facebook malware

It happened to me twice today. I had a facebook chat like this with someone I know from real life:

hi
hi
Wanna laugh? :)
sure!
at which point I received a tinyurl address, leading to a malware delivery site.
my reaction was:
ops! that was a virus, good thing i dodged it
There are no viruses there
A bit later, another person I know from real life:
hi
hi
Pre-emptively I tried to check in front of me is a real person:
how are you?
It continued:
ok. wanna laugh? :)
no, thanks
But I received again a tinyurl encoded address to which I didn't reply further.

Seeing this primitive dialogue, I suspect there is a malware with some chat boot embedded or a low-wage worker in the 3-rd world.

Anyway, the malware addresses will lead you to a fake personalized YouTube page like this, trying to make you run an .exe:
virus


See the problems:
  • the numeric URL is the first thing to give it away as malware, unfortunately some browsers, like Chrome, will hide the URL bar by default, leaving the user more vulnerable (Furefox is expected to blindly copy this feature too, making even more naive users vulnerable)
  • the target has knowledge of my real name, making me more inclined to trust the source;
  • the "video" is a link to an .exe file, something able to trick unsuspecting Windows users;
  • the first couple of comments are fom real facebook contacts, making you be even less suspecting;
  • the status bar shows the download as being an .exe, Firefox removed the status bar at all before FF4 and restored it after the users outcry, it shows it was a wise decision.

What can I say? this is a pretty sophisticated attack, combining AI (bots), social engineering, competent crafted design and advanced use of facebook APIs. Be careful!

PS: of course nothing bad happened to me, I spotted the URL instantly, noticed the .exe and don't run Windows anyway.

Posted by nicu at 5:57 PM

Labels: , ,

11 comments:

  1. Keiran "Affix" Smith7:37 PM, August 19, 2011

    I downloaded the Flash-Player.exe and have begun to reverse it. Will let you know more details ASAp

    ReplyDelete
  2. nicu7:41 PM, August 19, 2011

    cool!

    i googled a bit about it: http://www.google.com/search?q=flash-player.exe+virus

    ReplyDelete
  3. Anonymous5:26 AM, August 20, 2011

    "the numeric URL is the first thing to give it away as malware, unfortunately some browsers, like Chrome, will hide the URL bar by default, leaving the user more vulnerable (Furefox is expected to blindly copy this feature too, making even more naive users vulnerable)"

    I am not sure where you got that from, but Chrome certainly does not hide the URL bar by default. There are mockups of UI experiments, but they are just that. Both Firefox and Chrome developers are quite aware of the phishing problems of hiding the URL bar, as well as the problems of relying on it for most people.

    Perhaps you have confused this with hiding the http://, which has none of these problems.

    ReplyDelete
  4. pawel3:54 PM, August 21, 2011

    i get tinyurl today, 5 minuts later pc restarts and again and again
    i will reinstall win7
    or maybe someone could help and say what to do now
    help asap

    ReplyDelete
  5. Anonymous4:42 PM, August 21, 2011

    i only clicked on tinyurl.com few minutes ago but nothing happened YET! is it ok if I closed the window ? i donw wanna reinstall the whole windows

    ReplyDelete
  6. nicu11:53 PM, August 21, 2011

    tinyurl is an URL shortening service, it can go to harmless addresses or to malware... most of the time is used for good

    ReplyDelete
  7. Anonymous10:33 PM, August 22, 2011

    As long as you did not download adobeflash.exe you're ok. Clicking the link by itself does nothing.

    My approach to this was "I did nothing special so a video about me getting popular on the web must be fake." I also received two of these simultaneously form two friends with the same "wanna laugh" greeting. Needless to say this is as far as I got.

    Does anyone know if the person the malware is impersonating is aware of the chat?

    ReplyDelete
  8. nicu11:08 PM, August 22, 2011

    i am on Linux, i could even ran the malware without consequences!

    i am not that close to those persons to ask if they are aware (and since they are in a different country, don't have another communication channel). however, i know another person who was fooled and installed it

    ReplyDelete
  9. Kostas2:27 PM, August 24, 2011

    This comment has been removed by the author.

    ReplyDelete
  10. Kostas2:38 PM, August 24, 2011

    And to me the same thing happened!

    Chances are that you receive while you are online on Facebook and chat will begin with a simple "hi". Regardless of your answer the second message is "wanna laugh?)))" And the next answer will give you will receive a link. Once pressed you will see the page that looks very much like youtube and the video will tell you to upgrade your flash player. CAUTION Do not press TO DO THE UPGRADE. OYTE THE PAGE YOU IS youtube NOR THE FILE IS SET TO FLASH PLAYER.
    If you look at ADDRESS TO THE PAGE YOU WILL SEE THAT went INSTEAD OF YOUTUBE HAS NUMBERS. THIS PAGE IS IN RUSSIAN SERVER and the program refers aims to collect data from your computer. This file is not a virus and antivirus you probably will not recognize it as a threat.

    ReplyDelete
  11. Anonymous9:00 PM, August 25, 2011

    ^I clicked on download and Chrome said:

    "The file could harm your computer. Are you sure?"
    *Download* *Cancel*

    Me clicked cancel :) Love Chrome lol

    ReplyDelete

Subscribe to: Post Comments (Atom)