Facebook Malware Poses as Flash Update, Infects 110K Users

UPDATE: A new piece of malware is making the rounds on Facebook, infecting users after luring them in with a link to a salacious video.

UPDATE: This story has been updated to include commentary from Facebook.

A Trojan is making its way around the world’s most populous social network, infecting some 110,000 Facebook users in just two days.

The malware spreads itself by posting links to a pornographic video from the account of previously infected users. The postings generally tag no more than 20 friends of the infected. If and when a user opens the link contained in the post, the video begins to play but then stops and asks the viewer to install a fake Flash player containing a Trojan downloader with the actual malware.

An initial investigation posted on the Full Disclosure mailing list by security researcher Mohammad Faghani revealed that the malware can manipulate keystrokes and mouse movement. One indicator of compromise is the presence of Chrome.exe in the Windows processes.

Unlike prior Facebook Trojans that often propagate via private messages between friends, this one uses a technique that Faghani is calling “Magnet.” By creating malicious posts and tagging multiple users, the content is then visible to not only those that are tagged but also by there friends as well. This, Faghani says, allows the malware to spread more rapidly.

Faghani says that he is still in the process of analyzing the threat and that he will post more details on Full Disclosure at a later time.

The MD5 hash of the fake Flash Player is “cdcc132fad2e819e7ab94e5e564e8968.” The SHA1 hash is “b836facdde6c866db5ad3f582c86a7f99db09784.” Faghani notes that the malicious file drops the chromium.exe, wget.exe, arsiv.exe and verclsid.exe as it runs and connects to the www[dot]filmver[dot]com and www[dot]pornokan[dot]com.

Threatpost contacted Facebook, is aware of the issue and is working to blocking the linking perpetrating the scheme

“We use a number of automated systems to identify potentially harmful links and stop them from spreading,” a Facebook spokesperson told Threatpost. “In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”


Suggested articles