Date: 02 April 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0023 -- AUSCERT ALERT
[Win]
Fake Facebook friend requests lead to malware
2 April 2009
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Member content until: Thursday, April 30 2009
OVERVIEW:
Fake emails posing as friend requests from Facebook are being widely
circulated. These emails are lures to fake websites containing malware.
IMPACT:
The emails all differ slightly but possess the same characteristics.
A typical example of the email reads:
=============================================================
From: "Facebook presentment" <support60@facebook.com>
Subject: Facebook announcement: Great looking girl having fun (Last rated by Bradford Collins)
Messages from Your Friends on Facebook, April 01, 2009
You have 1 friend requests - Personal Message:
Watch the video titled "Drunk Charlize is dancing striptease on my Birthday Party, March 28, 2009! We're absolutely shocked!".
Proceed to view full message:
hxxp://facebook.shared.id-etsmrnhy5e.subject.876panel. com/home.htm?/identification/authentication=0616n9m12
Added 16 minutes ago. Message ID: FB-06nnzbrxizjrzvr
2009 Facebook community, Message Center.
============================================================
All the emails seen so far:
* Have the from field set to a @facebook.com address
* Contain a "(Last rated by [name]) in the subject
* Have the same central paragraph referencing "Drunk Charlize"
Multiple domains are being used in this attack, most following
a naming scheme of [1-5 digit number][word].com. Domains seen so
far:
154facebook. com
2313download. com
2349panel. com
2433module. com
3445module. com
344session. com
3499module. com
3personalid. com
42logged. com
4326union. com
4346player. com
43553panel. com
53445player. com
5435core. com
5436player. com
5443download. com
5464module. com
637login. com
644player. com
6545download. com
654panel. com
70update. com
736signin. com
7636player. com
8345server. com
867player. com
876panel. com
9873module. com
987panel. com
There are some that have not followed this scheme:
adobeapplication. com
secureddvideo. com
startmirrorplayer. com
videosshared. com
This is not an exhaustive list of domains and more are expected
to be found.
The websites present on these domains mimic the Facebook website
and present the user with a JavaScript alert claiming:
"Please Download correct Flash Movie Player! Installation:
Double-click the downloaded installer. Follow the on-screen
instructions"
The web page will then automatically redirect the user to download a
file called Flash_Adobe11.exe
If executed this will install an aggressive trojan designed to steal
confidential information. At time of writing this trojan had a very low
level of detection among anti-virus vendors.
AusCERT has supplied copies of this malware to multiple ant-virus
vendors.
So far analysis indicates this malware may be a new variant of the
Gozi trojan family. [1]
As part of the initial infection the trojan will attempt to contact
a web server at 91.207.61.43 to retrieve further malware.
MITIGATION:
Possibilities for mitigation include:
* Using filtering at mail gateways to block on key phrases such as
"Drunk Charlize is dancing striptease"
* Using web filtering to block domains associated with this attack
* Block or monitor connections to 91.207.61.43 temporarily, as this may
indicate the presence of infected machines. AusCERT provides an
XML feed of malware sites to members which may help with achieving
this. [2]
* Inform and educate end user on this form of attack.
* Ensure anti-virus signatures are being kept up to date. While
detection rates are currently low, new signatures that detect
this trojan should be available soon.
REFERENCES:
[1] Gozi Trojan - Research - SecureWorks
http://www.secureworks.com/research/threats/gozi/?threat=gozi
[2] AusCERT XML Feed
https://www.auscert.org.au/render.html?it=9123
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ1CbJNVH5XJJInbgRAnHhAJ9Qj9dzr4js2KPndSoWYUtiTH452wCdFBXz
Nu7hNa5SzEbsgwjh9DqgYSY=
=ST6X
-----END PGP SIGNATURE-----
|