Zhenya Ciurana - Official Author Blog

Virus attack from facebook

ciurana

5/20/09 02:09 am

OKi, so I wonder now how many people will be bitten by this attack.

I was switching applications on facebook from the Profile page to the SocialMe application. SocialMe (or one of the mini-profiles there) has been compromised with a virus / Trojan that pretends to be some Windows anti-virus scan to trick the user into inoculating the system with a fake remedy.

Devious, devious, devious.

Here is what happens:

• The browser's client area switches to what appears to be a Windows Explorer / Virus Scan control panel
• A fake scan "identifies" a number of Trojans and viruses
• The scanner offers to repair the problem by downloading the attack code under false pretenses
• Canceling the download will result in a dialog that won't let the browser quit
• People who don't know any better are likely to eventually OK to get rid of the annoyance and compromise their own system

The most devious part of this attack is the attention to detail that the creators put. If this code ran on a Windows XP system, with a retarded copy of Internet Explorer, users might believe this is a legitimate repair.

REBOOT YOUR COMPUTER IF YOU ARE A WINDOWS USER AND RUN INTO THIS WINDOW (SEE THE IMAGE).  YOU WON'T BE INFECTED IF YOU DON'T INSTALL THE PROGRAM THAT YOU'RE URGED TO DOWNLOAD.  RUN A LEGITIMATE ANTI-VIRUS AFTER YOUR SYSTEM IS BACK ON-LINE.

Please warn your friends on facebook and who use Windows instead of something sensible like OS X or Linux about this problem. If you're technically inclined, you may analyze the code for the HTML/JavaScript attack, and fetch the install_2018-7.exe Trojan.

Remember: friends don't let friends use Internet Explorer. Get Firefox and Safari now!  Think of the children.

Cheers!

Tags: facebook virus trojan attack ie

• Current Location: San Francisco
• Current Music: Mon Coeur Résiste Encore
• Current Mood: tired

• Leave a comment

• All your MBR is belong to me

  (Anonymous)

  5/20/09 02:29 pm (UTC)

  Totally. Once your system in compromised, it usually joins a botnet. There was a good paper recently on the internal workings of botnet (http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf). The problem is, it basically replaces the MBR and not many anti viruses seem to scan the MBR (Avast appears to).
  
  Friends let best friends only use Chrome on windows or move to Mac :-)
  
  -Dushyanth
  http://twitter.com/dushyanth

  • Reply
  • Thread

• Facebook virus

  (Anonymous)

  5/23/09 12:43 pm (UTC)

  The same thing happened to me when I went to the application Dope Wars just now. Fortunately I'm on a mac and it put the exe file in my downloads folder. I'm hoping that because it wasn't launched, I don't have to worry about it? I don't see this kind of thing very often!

  • Reply
  • Thread