Facebook Malware disguised as Flash update
The malware has infected more than 100k accounts, it spreads itself by posting links to pornographic video. It tags about 20 friends, when a user clicks the link, the video begins to play but it stops soon and asks the user the install a fake Flash player which contains the trojan.
The MD5 of the executable file (fake flash player):
cdcc132fad2e819e7ab94e5e564e8968
The SHA1 of the executable file (fake flash player)
: b836facdde6c866db5ad3f582c86a7f99db09784
The fake flash file drops the following executables as it runs:
chromium.exe, wget.exe, arsiv.exe, verclsid.exe.
Security researcher has posted a full dis-closer report and Mohammad Faghani had this to say:
We have been monitoring this malware for the last two days where it could
infect more than 110K users only in two days and it is still on the rise.
This malware keeps its profile low by only tagging less than 20 user in
each round of post.
This trojan is different from the previous trojans in online social network
in some techniques. For instance, the previous trojans sent messages (on
behalf of the victim) to a number of the victim’s friends. Upon infection
of those friends, the malware could go one step further and infect the
friends of the initial victim’s friends.
In the new technique, which we call it “Magnet”, the malware gets more
visibility to the potential victims as it tags the friends of the victim in
a the malicious post. In this case, the tag may be seen by friends of the
victim’s friends as well, which leads to a larger number of potential
victims. This will speed up the malware propagation.
We use a number of automated systems to identify potentially harmful links and stop them from spreading,” a Facebook spokesperson told Threatpost. “In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.
