Facebook wormA new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.

The worm is making the rounds now, and detection of the malicious file that’s being used to drop the malware on victims’ machines is quite low. Researchers at CSIS in Denmark analyzed the worm’s behavior and found that it appears to be using stolen Facebook credentials to log in to user accounts. It then sends out messages to the victim’s Facebook friends with a link that’s supposedly to a photo file.

However, the file that’s linked to is a screensaver that has a JPG extension. If a user opens the file, it will then install a series of malicious programs. CSIS says that the worm’s code was written in Visual Basic and uses a handful of techniques to make analysis in virtual machine environments difficult. After the user executes the malicious file, the infection routine kicks off.

Whereupon the following file is attempted copied to the system: c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe,” a translation of the CSIS analysis says. “The worm carries a cocktail of malware onto your machine, including a Zbot / ZeuS variant which is a serious threat and stealing sensitive information from the infected machine.

Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it somewhat easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specializes in stealing sensitive user data such as banking credendtials, from infected machines.

CSIS also said that the worm is spreading from some domains outside of Facebook, and that those compromised servers are being used to gather additional information about the infected machines and to stage the malware that’s subsequently downloaded onto victims’ machines.

Categories: Hacks, Social Engineering

Comments (33)

  1. nORDENHEIM
    1

    YOU ASK ME FB SHOULD JUST BE EITHER SUED OR SHUT DOWN  I HAVE REPORTS FROM KASPERSKY GOING BACK TO JULY 2008 WHEN IT STARTED TO GET INFECTED WITH THESE DIFFERENT VIRUSES AND WORMS AND THEY FAIL TO DO ANYTHING TO FIX IT, ITS A SECURITY RISK 100% WITH ALL FB`S MONEY YA THINK THEY WOULD FIX THE SECURITY? GUESS NOT

  2. Nordenheim
    4

    the virus is dsicuised many ways recently it shows up as a download file,   also shows up as a pdf, or a jpg image document, but if you zip the file  with winrar  open file click view shows image.exe same goes with the pdf documents these guys gotten smart in the past 11 months my company has sumbitted over 2000 undetectable viruses to kaspersky so they are added to the virus list update…so best solution to prevent this, is 1 of 2 ways 1 is using permisison controles and block the windows install.exe through group policy then nothing cna download at all and install, but you use the amdinistrator account for installing, and create a user account with blocked install.exe in windows. or enable kaspersky fileserver, internet security, or pure, firewall to block the activity just go to support @ kasperky and get the manual or give kaspersky a call theyhave great customer support. hope this helps.. also we are a Certified Kaspersky Partner since 2005…

  3. Anonymous
    5

    @Linda, it says in the article. Read the article.

    Or, if you’re too lazy, “It then sends out messages to the victim’s Facebook friends with a link that’s supposedly to a photo file.”

     

  4. Anonymous
    6

    omg you cannot blame facebook a virus can attach on just about anything even your email. if you click on a link then it could happen. just make sure you have a good anti virus and be careful what you click on. maybe you dont like facebook because you cannot get many friends seriously

  5. Phred
    7

    I got a virus one time, when using the key board after my brother used it. He had the flu and he was picking his nose while typing.

  6. Nordenheim
    8

     To The Noobs On here, koobface, conflicker, zeus and many others are the same worm, learn how to open the virus and read the code.  Also these are SQL and Oracle Database viruses mainly & that is how even the bots are programed its a database trojan – worm sorry to say facebook is crap because php for one is not secure and never will be. If php was secure why dont banks use it and why not any  big corporation use it or even stock echanges? see my point people its a crappy opensource scrip and usless. Even FB`s SSL is not evena real SSL take a look its just a token.

    first reported listing was:

    Tue 7/14/2009 5:11 PM

     KLAB Daily Digest, July 14, 2009 

    Koobface hits Twitter

    The Koobface worm, which previously had mainly affected MySpace and Facebook, is now infiltrating Twitter, Kaspersky Lab researchers said Tuesday. Infected accounts sent tweets containing a link to a URL that masqueraded as a video site, but actually contained malicious JavaScript. Mac or Linux users who clicked on the link were redirected not to the malware site but to adult sites. Twitter said over the weekend that it will shutter accounts known to be distributing the worm.

    and who may take offence to this and disagree till your a certified programer and partner with kaspersky then you may talk. 


  7. NordenNoob
    9

    Don’t pay attention to the post above me. Koobface, conficker and Zeus are not from the same codebase and do not share similar infection vectors.

  8. Nordenheim
    10

    Actually they are they do the same thing, just re written alittle differently and kaspersky all the time gives them a new name but yet its the same thing 1 version downloads antivirus, another uses your system secretly to send out fake postal service recipts and rmails along with others that may be images and @ (NordenNoob aka the threatpost troll), your bs dont work with me since  i personaly have background in this area for over 30 yrs.

    Example: report.18653.pdf

    Zip the file click view file..

    you can see shows report.18653.pdf now click view file…

    then shows report.18653.pdf.exe then click view this file  you see the code… this is a easy way to get the idea of how to search…

     

    now in here you have: the following: what the virus does damage to….

    äD???!ØÜÇzþ?E/&}Fì=?kernel32.dll gdi32.dll GetConsoleAliasesLengthA GetTimeFormatA SetProcessAffinityMask SetInformationJobObject CancelWaitableTimer SetProcessPriorityBoost lstrcmpA SetThreadPriority GetProcessPriorityBoost IsBadWritePtr SetConsoleTitleA GetAtomNameA ClearCommError GetProcessAffinityMask WriteConsoleOutputAttribute VirtualAlloc GetCurrentProcessId GetConsoleHardwareState ReleaseMutex Thread32Next FindNextVolumeMountPointW FindFirstChangeNotificationA SetConsoleCursorPosition PulseEvent OpenJobObjectA ResetEvent EnumSystemGeoID SystemTimeToFileTime GetDllDirectoryA TerminateProcess FindNextVolumeA GetSystemTime GetProcessVersion OpenSemaphoreA GlobalFree GetThreadPriority GetFullPathNameA CreateColorSpaceA ColorMatchToTarget a@? ?ß[e 

    JUST BECAUSE THEY ARE DIFFERENT VARIANTS AND MODIFICATIONS THEY ARE GIVEN NEW NAMES…

    SO TO THE TROLLSKI ON HERE.  BACK YOUR BS UP NEXT TIME…
     

    also we have every virus cataloged we have submitted to kaspersky going back years i can open these files look at the code and  see exactly what they do and affect.  so once again for people of this service pelase read everyhting in detail and not just 1 persons idea whoc annot show anything… also the new versions of these are virus gets on your system sends out fake urls and you dont even know it if you trace through ip and isp origination. and they also are embeded on servers now with a direct link.

  9. NordenNoob
    11

    I’d love to respond in detail, but I just can’t get past your lack of punctuation. I sincerely hope your “30 years” worth of experience cataloguing malcode is more structured then your linguistic skills.

    I love how you try to lump a worm that relies heavily on social engineering to propagate; a multi function Trojan; and a network worm that uses smb, windows vulnerabilities and autoruns to spread. A != B.

    I can has cookie nao?

  10. Anonymous
    13

    LMAF – where do they get their  info –  Zeus went ‘opensource’ a long time ago so I seriously doubt it is a ‘hacked’ version. The code for the Facebook vector in an oldie but goodie and i can appreciate the JPG. Sweet. My o my our anti-virus friends do like FUD.

  11. Anonymous
    14

    What’s up with all the nubs slobbing all over Kaspersky?  Dear Nord*, if Kaspersky was so fantastic, why did your company have to submit over 2000 viruses to them in the last 11 months that they could not detect if it weren’t for your own personal awesomeness???   Just sayin.

  12. Anonymous
    19

    I THINK WE SHULD SHUT DOWN THE WHOLE INTERNETZ. I GOT A VIRUS FROM IT ONCE. IF PEOPLE CAN’T STOP VIRUSES IN THE INTERNET I THINK WE SHOULD SUE THE INTERNET SINCE THEY MAKE SO MUCH $$$$$$$$$$$$$$

  13. John
    20

    You don’t have to use the internet. Simply call your internet provider and ask that they disconnect you. Using common sense and a decent antivirus such as Kaspersky should keep you virus free.

  14. John
    21

    If you read the article, it’s not Facebook’s problem. Some people use weak passwords, use the same password on every website they visit or save passwords in plain text on their computers. Common sense is what people need to think about!

  15. Anonymous
    22

    I don’t think you understand how the internet works. A simple explaination is that the internet is made up of millions of different points, and that many companies own Domain Names. That there are MANY points where severs are held to host internet material. No one person owns the internet, nor does one company. Viruses are spread by either infecting those servers that are under protected, or offering dirrect options by unknowing people to infect themselves. Generally luring you in with information that you may have been interested in.

  16. Anonymous
    26

    I had Kaspersky, and my laptop’s hard drive went down causing me to lose everything on it.

  17. Anonymous
    27

    IF YOU ASK ME, PEOPLE JUST NEED TO BE SMARTER ABOUT BROWSING SECURITY AND STOP BLAMING FACEBOOK FOR THEIR OBVIOUS SHORTCOMINGS BY GETTING TRICKED INTO CLICKED A FAKE MESSAGE. PEOPLE ARE ALWAYS GOING TO WRITE MALWARE, YOU SHOULDN’T ASK FACEBOOK WHAT THEY ARE GOING TO DO TO PROTECT YOU, YOU SHOULD ASK YOURSELF WHAT YOU ARE GOING TO DO TO PROTECT YOU ;)

  18. Anonymous
    28

    i git it & it came thru with a link that said i can’t believe you were with her…wow!

  19. Anonymous
    29

    Basic security 101. If it doesn’t open in the browser, it probably isn’t an image. 

    Never execute anything you didn’t expect to actually download and run. 

    OS X May not be perfect, but it won’t run windows malware, and won’t execute anything from the Internet withou asking first (see rule 1)

  20. Anonymous
    30

    Basic security 101. If it doesn’t open in the browser, it probably isn’t an image. 

    Never execute anything you didn’t expect to actually download and run. 

    OS X May not be perfect, but it won’t run windows malware, and won’t execute anything from the Internet withou asking first (see rule 1)

  21. Anonymous
    33

    I love to pwn Macs.. Could they make that shit any easier? I agree, I wish everybody had a mac… it would be like Christmas everyday to every respectable hacker in the world. Mainstream media has the general public believing Apple’s platforms are impenetrable; eventually this will be the number one reason for company wide failure. Yay Apple

Comments are closed.