I've recently got notified on an interesting malware campaign. I'll start with some screenshots:
 |
| Save the file and run! It is funny :) |
 |
| DivX plug-in Required! |
 |
| Download and execute the facebook app, please! |
Some examples of files that can be downloaded:
IamFunnyPNG-facebook.com
IamFunnyPNG-fb.com
IamNakedBMP-facebook.com
IamNiceTIFF-fb.com
IamSexyPIC-fb.com
IamSexyPNG-fb.com
MeBitchTIFF-fb.com
MeFunnyJPG-facebook.com
MeNakedJPEG-fb.com
MeNakedPIC-facebook.com
MeNiceGIF-fb.com;
MeNicePNG-fb.com
MeSexyJPEG-facebook.com
MeSexyPNG-fb.com
YouNakedJPG-fb.com
YouNiceBMP-facebook.com
YouSexyJPEG-fb.com
YouSexyPIC-facebook.com
YouWhoreJPEG-facebook.com
I think you get the point here. Users are being socially engineered to download a file that seems to originate from Facebook. The file is supposed to be an image file (PNG, TIFF, BMP, JPEG and even "PIC") but is in fact an executable. The initial landing page also ends in names of females, for example "laura.html" or "birgitta.html" .
Let's take a look at one of the downloaded files:
IamWhoreJPG-facebook.com
MD5: 1273f3ea6ae76340270bab57b073b0b5
Anubis Result
Malwr Result
VirusTotal Result
Unfortunately I was unable to execute the malware, as I currently don't have a physical machine to test it. According to VirusTotal results, it may be a Trojan called Yakes or Tobfy:
Trojan:Win32/Tobfy is a family of ransomware trojans that targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.
Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan. See: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FTobfy
According to Ydklijnsma, this specific campaign drops bitcoin miner malware. See:
Fake facebook image dropper filename follows this pattern: (Me|You|Iam)(Sexy|Nice|Bitch|Naked|Funny|Lol)(PNG|JPEG|BMP|PIC)-(fb|facebook).comThere's a good blogpost by Brian Krebs on the subject of bitcoin mining malware:
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013
http://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/
Most of the malware seems to be hosted via the domain registrar "Hong Kong Sun Network":
 |
| Hong Kong Sun Network - hosting multiple malicious websites |
Some IPs that are involved - next to it their abuse contacts:
I'm betting it's safe to assume the worst and block these IPs (more investigation is needed though):
91.218.38.0/24
103.9.150.0/24
109.73.166.0/24
112.213.106.0/24
121.127.226.0/24
188.190.120.0/24
Most of the sites use the pattern described here:
Fake facebook image dropper is being download from domains following this pattern: [a-z]{6}.best.(lt|volyn).ua/dlimage[0-9]{1,2}.phpIf you're interested in some of the websites that are serving this malware, visit the following Pastebin:
— Yonathan Klijnsma (@ydklijnsma) September 1, 2013
http://pastebin.com/raw.php?i=8BqGPvhX
Note that links may still be live!
Conclusion
- Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
- Install an antivirus and antimalware product and keep it up-to-date & running
- Use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/
- Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
- Running "funny Facebook files" will usually provide you with everything but fun
