Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Facebook, Facebookhealth and the rogue AntiVirus application

on October 8, 2009

A mass operation is underway to infect several thousands of computers worldwide. The attack from the malware writers is taking place from various sources using an array of different techniques. Information regarding this attack until now is very limited however the following is the current situation as we know it:

Run 1: Facebook.com wall posts

Several users have reported that ‘someone’ posted weightloss messages on their friends’ walls. There text of the message varies with the following three being the most common:

Wow, this woman’s story has inspired me to lose weight facebookhealth4.com

I stumbled across this woman’s weight loss blog today, really interesting facebookhealth5.com

These things must work well for losing weight, check out this woman’s blog and what she did facebookhealth4.com


There are three possibilities how this might have been achieved:

  1. A number of Facebook accounts were compromised via a direct attack on Facebook.com (lowest possibility).
  2. Malware writers discovered a way to directly post on Facebook users’ walls without their knowledge (might be a possibility).
  3. A Trojan was installed on the Facebook user’s machine stealing account login details (highest possibility).

Run 2: Facebookhealthx.com and wwwsecurityscan04.com

Just yesterday ten domains, Facebookhealth1.com to Facebookhealth10.com, were registered by a Chinese registrant carrying the name of TANGHUA. The contacts seem fake and both the Name Servers and IP are located in China. This simple public information already gives us the indication that these domains were created for the malicious activities.

These ten domains redirect immediately to another location hosted on wwwsecurityscan04.com. From the Whois record of wwwsecurityscan04.com, the registrant is an individual who makes use of dynamic DNS service but the contacts do not seem fake.

However, this domain was registered just yesterday, the same as the Facebookhealthx.com domains.

Run 3: Forum posts in various small websites

Fire up your favorite Internet browser and in Google enter “facebookhealth5”. You should receive a list of websites which host posts similar to those on the Facebook wall.

Any of these links will redirect you to a ‘free’ virus scan of your computer. What you would not expect is that malware will be installed.

Run 4: The rouge AntiVirus scan and malicious payload from wwwsecurityscan04.com

As soon as you are redirected to wwwsecurityscan04.com an animation of a rouge AntiVirus software is displayed. The animation is visually very well done and presented. It has the potential to easily fool uneducated users. The following screenshots show a complete run from the rogue AntiVirus software:

It is important to notice the long and complex URL being used to launch the fake AntiVirus scan (first screenshot under Run 4). If you visit wwwsecurityscan04.com (not recommended) nothing should happen and only some text will be displayed.

At the end of the AntiVirus scan by the animated screen, a dialog box requires you to download “Soft71.exe”; the malware. Do not expect that, if the Cancel button is pressed, you will be able to clear everything. The website together with the animation leaves no simple escape route.

I have uploaded the malware to VirusTotal.com for analysis. As at today, 07 October 2009, ONLY 3 AntiVirus Engines out of 41 managed to detect the malware. These engines power your desktop AntiVirus software and those of your place of work. This illustrates how prone we all are to malware and the risks that we all encounter when we do not think about our actions. Just imagine the consequences had you clicked on the malicious link whilst at work. This is the permalink for the VirusTotal analysis.

Run 5: Malware activity

Until now I do not know exactly which activities “Soft71.exe” (the malware) performs on a computer. To understand the actions of the malware, the executable must be disassembled and run under a controlled environment monitoring the changes being performed.

However, it seems that this malware would be writing a number of registry keys and also downloading other malware from the Internet.

The possible malware attacks and how they are orchestrated are next to infinite. We must always be a step ahead of malware writers and, apart from keeping all machines secure and safe, we must ensure that all users are educated. This is valid advice both at the workplace and at home. A weak link in the chain may cause irreparable damage.

As we have seen there are occasions where the machine and software will not defend our resources. Education will always be the key to success against such criminal activity.

About the Author:

Test bio

submit to reddit
 
Comments
Richard October 8, 20091:11 pm

Thanks for the advice. Nice to see you guys are on top of this.

Out of curiosity, which 3 of the 41 AV’s picked up the malware?

Also, looking forward to your anti-virus solutions later this year, sound interesting? Will there be a beta for people to try out? (interface, CPU and RAM load etc)

Richard

Andrei Zammit October 8, 20094:30 pm

Hi Richard,

You can see the complete virus analysis report using this link here: http://www.virustotal.com/analisis/a9e1cdfec232a094e09518e1909705e8d3e5d4c8db2dae1d42561dae75140d20-1254934621

This report also includes which AntiVirus engines managed to detect the malware.

Our product, GFI MailSecurity, is a mail security server for IIS, MS Exchange and Lotus Domino. This implies that GFI MailSecurity will filter any emails hitting your orgainization which have malicious content. More information can be found here: http://www.gfi.com/mailsecurity

target October 8, 20097:29 pm

thx for the info,

I’m a victim of this action, I guess that number 2. is the case, because I haven’ t been on facebook für a couple of weeks now, so I can’ t how anybody could get my user dates.

Richard October 9, 200911:15 am

Hi Andrei,

Thanks for the results link. Pretty worrying that only 3 found it. I guess that most of the vendors will be pretty quick at updating their definitions though.

Andrei Zammit October 9, 20091:08 pm

Hi target,

Thanks for your interest.

One important thing to note is that if a trojan manages to steal your Facebook acount details, this will be harvested (together with other users’ account details) in a location and used at a later stage. Weeks and months may pass until the malware writers make use of them.

On the other hand, if bank account details (or any financial institution) are stolen, they are used very soon. This is because such data has a short lifetime compared to the Facebook account details.

Andrei Zammit October 11, 20097:21 pm

Just wanted to update you on this case.

There are domains which are delivering the malicious payload as described in the article:

a.) 3allfolderscan.com delivers Soft_19.exe
b.) mysecurityupgrade.com delivers setup.exe
c.) clara9elena.cn which is reported and blocked by Google
d.) myprotection-zone.net delivers setup_build8_201.exe

Virus analysis from VirusTotal.com:

for ‘setup.exe’ please follow http://www.virustotal.com/analisis/da69bf7c21ff7329ea4f4beb027c5b915ef5d2b8f1035a6e13c1ad48d33328f4-1255284144

for ‘Soft_19.exe’ follow
http://www.virustotal.com/analisis/ca3023f760c47bac1d77f411229c25354243061b14076cb7d47e84712ffa0932-1255284361

for ‘setup_build8_201.exe’ follow
http://www.virustotal.com/analisis/4b83f01fb2b3b32ea50daa0d5890e2bb477b278e73133f063d953334f1a56446-1255284997

Angelica October 15, 20098:37 am

Thanks Andrei – as an avid Facebook user, I’ve been noticing those weight loss messages popping up as various friends’ posts (and wondering how to avoid them appearing as mine too!); i knew it had to be some kind of virus but not much else. This was really interesting!