AusCERT - AL-2009.0023 -- [Win] -- Fake Facebook friend requests lead to malware

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2009.0023 -- [Win] -- Fake Facebook friend requests lead to malware
Date: 02 April 2009

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0023 -- AUSCERT ALERT
                                   [Win]
               Fake Facebook friend requests lead to malware
                               2 April 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
Member content until: Thursday, April 30 2009

OVERVIEW:

       Fake emails posing as friend requests from Facebook are being widely 
       circulated. These emails are lures to fake websites containing malware. 


IMPACT:

       The emails all differ slightly but possess the same characteristics.
       
       A typical example of the email reads:

       =============================================================

       From: "Facebook presentment" <support60@facebook.com>
       Subject: Facebook announcement: Great looking girl having fun (Last rated by Bradford Collins)

       Messages from Your Friends on Facebook, April 01, 2009

       You have 1 friend requests - Personal Message:
       Watch the video titled "Drunk Charlize is dancing striptease on my Birthday Party, March 28, 2009! We're absolutely shocked!".
 
       Proceed to view full message:

       hxxp://facebook.shared.id-etsmrnhy5e.subject.876panel. com/home.htm?/identification/authentication=0616n9m12

       Added 16 minutes ago.  Message ID: FB-06nnzbrxizjrzvr
       2009 Facebook community, Message Center.

       ============================================================

       All the emails seen so far:

       * Have the from field set to a @facebook.com address
       * Contain a "(Last rated by [name]) in the subject
       * Have the same central paragraph referencing "Drunk Charlize"

       Multiple domains are being used in this attack, most following
       a naming scheme of [1-5 digit number][word].com. Domains seen so 
       far:

       154facebook. com
       2313download. com
       2349panel. com
       2433module. com
       3445module. com
       344session. com
       3499module. com
       3personalid. com
       42logged. com
       4326union. com
       4346player. com
       43553panel. com
       53445player. com
       5435core. com
       5436player. com
       5443download. com
       5464module. com
       637login. com
       644player. com
       6545download. com
       654panel. com
       70update. com
       736signin. com
       7636player. com
       8345server. com
       867player. com
       876panel. com
       9873module. com
       987panel. com

       There are some that have not followed this scheme:

       adobeapplication. com
       secureddvideo. com
       startmirrorplayer. com
       videosshared. com

       This is not an exhaustive list of domains and more are expected
       to be found.

       The websites present on these domains mimic the Facebook website
       and present the user with a JavaScript alert claiming:

       "Please Download correct Flash Movie Player! Installation: 
        Double-click the downloaded installer. Follow the on-screen 
        instructions"

       The web page will then automatically redirect the user to download a
       file called Flash_Adobe11.exe

       If executed this will install an aggressive trojan designed to steal 
       confidential information. At time of writing this trojan had a very low
       level of detection among anti-virus vendors.

       AusCERT has supplied copies of this malware to multiple ant-virus 
       vendors.

       So far analysis indicates this malware may be a new variant of the
       Gozi trojan family. [1]

       As part of the initial infection the trojan will attempt to contact
       a web server at 91.207.61.43 to retrieve further malware.


MITIGATION:

      Possibilities for mitigation include:

      * Using filtering at mail gateways to block on key phrases such as
        "Drunk Charlize is dancing striptease"

      * Using web filtering to block domains associated with this attack
 
      * Block or monitor connections to 91.207.61.43 temporarily, as this may
        indicate the presence of infected machines. AusCERT provides an
        XML feed of malware sites to members which may help with achieving
        this. [2]
 
      * Inform and educate end user on this form of attack.

      * Ensure anti-virus signatures are being kept up to date. While
        detection rates are currently low, new signatures that detect
        this trojan should be available soon.


REFERENCES:

       [1] Gozi Trojan - Research - SecureWorks
           http://www.secureworks.com/research/threats/gozi/?threat=gozi

       [2] AusCERT XML Feed
           https://www.auscert.org.au/render.html?it=9123

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJ1CbJNVH5XJJInbgRAnHhAJ9Qj9dzr4js2KPndSoWYUtiTH452wCdFBXz
Nu7hNa5SzEbsgwjh9DqgYSY=
=ST6X
-----END PGP SIGNATURE-----