UPDATE: This story has been updated to include commentary from Facebook.

A Trojan is making its way around the world’s most populous social network, infecting some 110,000 Facebook users in just two days.

The malware spreads itself by posting links to a pornographic video from the account of previously infected users. The postings generally tag no more than 20 friends of the infected. If and when a user opens the link contained in the post, the video begins to play but then stops and asks the viewer to install a fake Flash player containing a Trojan downloader with the actual malware.

An initial investigation posted on the Full Disclosure mailing list by security researcher Mohammad Faghani revealed that the malware can manipulate keystrokes and mouse movement. One indicator of compromise is the presence of Chrome.exe in the Windows processes.

Unlike prior Facebook Trojans that often propagate via private messages between friends, this one uses a technique that Faghani is calling “Magnet.” By creating malicious posts and tagging multiple users, the content is then visible to not only those that are tagged but also by there friends as well. This, Faghani says, allows the malware to spread more rapidly.

Faghani says that he is still in the process of analyzing the threat and that he will post more details on Full Disclosure at a later time.

The MD5 hash of the fake Flash Player is “cdcc132fad2e819e7ab94e5e564e8968.” The SHA1 hash is “b836facdde6c866db5ad3f582c86a7f99db09784.” Faghani notes that the malicious file drops the chromium.exe, wget.exe, arsiv.exe and verclsid.exe as it runs and connects to the www[dot]filmver[dot]com and www[dot]pornokan[dot]com.

Threatpost contacted Facebook, is aware of the issue and is working to blocking the linking perpetrating the scheme

“We use a number of automated systems to identify potentially harmful links and stop them from spreading,” a Facebook spokesperson told Threatpost. “In this case, we’re aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook.”

 

Categories: Malware

Comments (6)

  1. Black Cloud
    3

    I am going to make some brash assumptions, so correct me:
    – the initial human vector had his facebook logged in while contracting the malware elsewhere?
    – even if short lived, does this point to the bigger security problem that noSQL engine blobs risk getting malware uploaded by several means, creating “click-bombs” for friends of the initial vector?
    – the common practice of facebook socialites to stay logged in while surfing and shopping online is extremely dangerous
    – if not the above, then what, direct network penetration?

  2. John
    4

    Black Cloud – what the F are you talking about?

    You click the ad -> it asks you to install flash -> you click it -> it installs malware.

    That’s it. Don’t click on porn ads on FB.

    • Black Cloud
      5

      It didn’t say “ad”. It says some idiot uploaded or linked a video… that would be his post, not Facebook’s unverified ad campaign. I am looking at the basic security fail-point behind these massive noSQL social networks. I was wondering whether simply having facebook open while visiting a malicious site was enough for the malicious site to pick up on, say with a cookie in idiot’s browser; or if he actually manually linked the video himself. People are stupid with their social networks logged into while they shop, do online banking, surf for porn, etc. There is also the stupid behavior of downloading flash update from facebook, as in who is that cracked out that they would do that? I know nothing of magnet linking, and I did not see porn ad anywhere. Read again. Also, supposedly browsers also have in-line malware checking. So much for that.

      • FB tard
        6

        Black Cloud, you are really struggling with this aren’t you? Let me try to help you, as John did.

        Infected user posts video link in FB–> idiot clicks link–> fake porno website asks you to install flash–> idiot installs it–> fake flash installs malware on idiot’s computer–> idiot’s computer posts video link in FB–>

        Got it now?

Comments are closed.