Funny Facebook files deliver malware

I've recently got notified on an interesting malware campaign. I'll start with some screenshots:

Save the file and run! It is funny :)

DivX plug-in Required!

 

Download and execute the facebook app, please!

Some examples of files that can be downloaded:
IamFunnyPNG-facebook.com
IamFunnyPNG-fb.com
IamNakedBMP-facebook.com
IamNiceTIFF-fb.com
IamSexyPIC-fb.com
IamSexyPNG-fb.com
MeBitchTIFF-fb.com
MeFunnyJPG-facebook.com
MeNakedJPEG-fb.com
MeNakedPIC-facebook.com
MeNiceGIF-fb.com;
MeNicePNG-fb.com
MeSexyJPEG-facebook.com
MeSexyPNG-fb.com
YouNakedJPG-fb.com
YouNiceBMP-facebook.com
YouSexyJPEG-fb.com
YouSexyPIC-facebook.com
YouWhoreJPEG-facebook.com

I think you get the point here. Users are being socially engineered to download a file that seems to originate from Facebook. The file is supposed to be an image file (PNG, TIFF, BMP, JPEG and even "PIC") but is in fact an executable. The initial landing page also ends in names of females, for example "laura.html" or "birgitta.html" .


Let's take a look at one of the downloaded files:
IamWhoreJPG-facebook.com
MD5: 1273f3ea6ae76340270bab57b073b0b5
Anubis Result
Malwr Result
VirusTotal Result


Unfortunately I was unable to execute the malware, as I currently don't have a physical machine to test it. According to VirusTotal results, it may be a Trojan called Yakes or Tobfy:
Trojan:Win32/Tobfy is a family of ransomware trojans that targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan. See: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FTobfy

According to Ydklijnsma, this specific campaign drops bitcoin miner malware. See:

Fake facebook image dropper filename follows this pattern: (Me|You|Iam)(Sexy|Nice|Bitch|Naked|Funny|Lol)(PNG|JPEG|BMP|PIC)-(fb|facebook).com
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013

There's a good blogpost by Brian Krebs on the subject of bitcoin mining malware:
http://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/



Most of the malware seems to be hosted via the domain registrar "Hong Kong Sun Network":

Hong Kong Sun Network - hosting multiple malicious websites

Some IPs that are involved - next to it their abuse contacts:









I'm betting it's safe to assume the worst and block these IPs (more investigation is needed though):
91.218.38.0/24
103.9.150.0/24
109.73.166.0/24
112.213.106.0/24
121.127.226.0/24
188.190.120.0/24

Most of the sites use the pattern described here:

Fake facebook image dropper is being download from domains following this pattern: [a-z]{6}.best.(lt|volyn).ua/dlimage[0-9]{1,2}.php
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013

If you're interested in some of the websites that are serving this malware, visit the following Pastebin:
http://pastebin.com/raw.php?i=8BqGPvhX
Note that links may still be live! 




Conclusion

• Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
• Install an antivirus and antimalware product and keep it up-to-date & running
• Use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/
• Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
• Running "funny Facebook files" will usually provide you with everything but fun

Gina Lisa Facebook scam

Yet another Facebook scam, this time luring users with a sextape from Gina Lisa, whom is apparently a German model:

Yet another Facebook scam: "Gina Lisa Sextape"

When you click on the link you get:

Verify your age first

When you click on the video to "verify your age" you are redirected to what appears to be a site for gambling, pokergames, etc....:

Subscribe and get a free bonus. Looks legit

I suspect you'll probably have to pay up sooner or later to continue playing. Stargames.com is apparently known for spamming blogs & other sites.

hXXp://hot-movie.pw - URLvoid Report

hXXp://stargames.com - URLvoid Report

This scam and/or spam will also post on Facebook on your behalf. Go over your Privacy Settings on Facebook and make sure you delete this "app" if you see it. Remove any posts you have made as well and report posts similar as this made by your friend(s).

Prevention

Pretty straightforward: do not click on any of these links, how tempting they might be ! Ask your friend if he or she knows what it means, and slightly hover over the post until the 'X' becomes visible. You can then mark the post as spam, and it will be removed from your friend's wall.

It might also help to install the WOT extension into your browser. (Compatible with most modern browsers)

WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

More information and to download WOT: http://www.mywot.com/

Conclusion

To keep it short and simple:

don't fall for these types of spam/scam, most of the times it's pretty obvious it's fake.

Facebook in a different color? Nah, just a survey scam

I got messaged about an obvious scam on Facebook:

New Facebook colors!

Strangely enough, that person's Facebook color was still in blue. Is it possible this is just a scam? ;-)


Going to the application:

The application "Pick a col0r" requests your permissions

 Next screen....:

I choose the blue color. Oh, right...

You've won!

As with most applications like these, you first have to fill in a survey to get your Facebook in a different color. Obviously, you still won't be able to even if you have filled in all your information for a chance to win product X or Y.

The application will make the same post on your wall as in the first picture. To remove it:

Go to your privacy settings, applications and remove "Pick a C0lor".

Confirm the removal and check the box. 

 Conclusion

You cannot change the color of Facebook at this point, there is no dislike button, ....

All of these 'applications' point to survey scams where you fill in all your information and your inbox will be flooded with spammail. And no, you haven't won anything.

Facebook spam leads to Exploit Kit

To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, .... Asking to click on a link.

We'll take a small peek at those tactics. We received the following email:

You have received a new comment

Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team

Obviously, Facebook didn't disable your account at all. There are some factors to easily determine this email is fake:

• The 'From' field says it's from "Facebook", however, the sender is clearly 'nondrinker@iztzg.hr'.
• Have you disabled your account? If not, then there's no reason to receive this mail.
• The subject and the content of the email do not match.
• Hovering over the links in the email reveals the real URL, which are not Facebook URLs.

When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

PluginDetect

 








The payload? Probably ransomware or a Banker Trojan.


You can find the full JavaScript and the infection source on Pastebin :
http://pastebin.com/9PgDTXsb



Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you're unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.




Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
Why would Facebook send me this when my account isn't disabled at all?
Why are those links not pointing to Facebook websites?
Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product.