The lure of porn is spreading a Facebook worm
Posted by: Timothy Weaver on 03/18/2015 05:22 AM
[
Comments
]
It's an old trick, but still being used. Security researchers have warned that Facebook users are being lured into clicking on a video file promising to show “sex photos of teen girls."
If the users click on the link, they are redirected to two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.
Jérôme Segura, Malwarebytes senior security researcher, wrote in a blog post: this domain filters potential victims “by identifying which user-agent their browser is showing in possibly the most complete – but not necessarily efficient – way we have ever seen,."
Mobile users are harmlessly redirected to an affiliate page, but desktop users are hit with a file detected as Trojan.Agent.ED.
Segura continued:
“This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam.com). Here we find a malicious Chrome extension and additional binaries (scvhost.exe and son.exe). Additional code is retrieved by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa.com, to spread the worm via Facebook.”
This malware creates a shortcut for Chrome which launches a malicious app in the browser straight to Facebook.
“In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features,” said Segura.
“Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.”
Once infected, the users computer is turned into a bot and seeks to infect all of the users Facebook contacts.
These days, security needs to not only protect the user from the malware floating around the web, but also from himself.
Source: InfoSecurity
If the users click on the link, they are redirected to two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.Jérôme Segura, Malwarebytes senior security researcher, wrote in a blog post: this domain filters potential victims “by identifying which user-agent their browser is showing in possibly the most complete – but not necessarily efficient – way we have ever seen,."
Mobile users are harmlessly redirected to an affiliate page, but desktop users are hit with a file detected as Trojan.Agent.ED.
Segura continued:
“This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam.com). Here we find a malicious Chrome extension and additional binaries (scvhost.exe and son.exe). Additional code is retrieved by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa.com, to spread the worm via Facebook.”
This malware creates a shortcut for Chrome which launches a malicious app in the browser straight to Facebook.
“In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features,” said Segura.
“Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.”
Once infected, the users computer is turned into a bot and seeks to infect all of the users Facebook contacts.
These days, security needs to not only protect the user from the malware floating around the web, but also from himself.
Source: InfoSecurity
Comments
