Blocking a Long-running Facebook Attack

January 30, 2013 - By Chris Larsen

Part One:

Today I took a look at what sorts of malicious activity we have been seeing lately coming from the Facebook ecosystem. Following a likely-looking link we had blocked as Malware, I was able to reach the following page:

screenshot of fake youtube page

This is a throwaway site, new today, and was auto-flagged as malicious by our Malnet Tracker. Note that the "Submit" button looks a little strange, as if there were some text sharing the same space. (A good indicator of sloppy "click-jacking" work.) Note also that as I hovered the mouse pointer over it, the URL at the bottom showed a link to Facebook's comment system, so it looks like it will be generating some comment-spam in an attempt to spread further -- based on what you type in the box. (It doesn't actually check to see if you typed the specific code it told you to.)

Not wanting to let its script interface with an actual Facebook login, I looked for a way to reach the payload via a different direction, and found it. Here's what it looks like:

screenshot of fake flash update prompt


Ah, yes -- the good old "video player update" scam... The Bad Guys never get tired of this one. (And I like the fact that they highlight a claim that this update includes "security enhancements"! That's a nice touch...)

Anyway, clicking the "Install" button results in an attempt to download and install a Firefox plugin (youtubeplayer.xpi), which 5 out of 46 AV engines in VirusTotal think are malicious. (Most telling is the ESET detection, which labels it as a "TrojanClicker.Agent".)


In one sense, this would be classified as a "negative 12 day block", since today's throwaway host site is on a server that the Malnet Tracker picked up back on January 18th. However, some of the other sites used in the attack have been known to be malicious for even longer, as I found notes in our database from last October, when those sites were flagged for participating in, you guessed it, a "Fake Codec" attack via Facebook.

It seems this group of Bad Guys is finding enough success (outside of our customers, anyway) that they haven't seen a need to change much of their infrastructure...


Part Two:

Later in the afternoon, I had time to drill into another attack. This one uses not one, but two "URL shortener" sites to disguise the ultimate destination, which is a page on a hacked site that looks like this:

screenshot of LOL malware page

Note that the Bad Guys took a lot of trouble to make this page look like a real Facebook sub-site (except for the name of the hacked domain, that is). Also, I found other examples of the main "come on" line, such as "Save the file and run! It is funny :)" as I poked around a bit more. (But this one is my favorite.)


This attack began on Saturday (1/26), and the WebPulse logs showed 107 attempts by our users to download the EXE payload from one server, and 294 attempts from another server, all of which were dynamically blocked in real time as Suspicious by our "Shady-EXE" module.

(This payload is better detected than the sample in Part One, with 11 out of 46 engines at VirusTotal flagging it. It's worth noting, however, that most of these detections are "generic" or based on the packing used, indicating that the Bad Guys did a good job of disguising the actual guts of the malware.)


Attacks like these are why Facebook is always showing up in the list of "popular sites leading to malware" that we've mentioned in the past...