Comments on: Facebook, Facebookhealth and the rogue AntiVirus application

By: Angelica

Angelica — Thu, 15 Oct 2009 07:37:57 +0000

Thanks Andrei – as an avid Facebook user, I’ve been noticing those weight loss messages popping up as various friends’ posts (and wondering how to avoid them appearing as mine too!); i knew it had to be some kind of virus but not much else. This was really interesting!

By: Andrei Zammit

Andrei Zammit — Sun, 11 Oct 2009 18:21:37 +0000

Just wanted to update you on this case.

There are domains which are delivering the malicious payload as described in the article:

a.) 3allfolderscan.com delivers Soft_19.exe
b.) mysecurityupgrade.com delivers setup.exe
c.) clara9elena.cn which is reported and blocked by Google
d.) myprotection-zone.net delivers setup_build8_201.exe

Virus analysis from VirusTotal.com:

for ‘setup.exe’ please follow http://www.virustotal.com/analisis/da69bf7c21ff7329ea4f4beb027c5b915ef5d2b8f1035a6e13c1ad48d33328f4-1255284144

for ‘Soft_19.exe’ follow
http://www.virustotal.com/analisis/ca3023f760c47bac1d77f411229c25354243061b14076cb7d47e84712ffa0932-1255284361

for ‘setup_build8_201.exe’ follow
http://www.virustotal.com/analisis/4b83f01fb2b3b32ea50daa0d5890e2bb477b278e73133f063d953334f1a56446-1255284997

By: Andrei Zammit

Andrei Zammit — Fri, 09 Oct 2009 12:08:36 +0000

Hi target,

Thanks for your interest.

One important thing to note is that if a trojan manages to steal your Facebook acount details, this will be harvested (together with other users’ account details) in a location and used at a later stage. Weeks and months may pass until the malware writers make use of them.

On the other hand, if bank account details (or any financial institution) are stolen, they are used very soon. This is because such data has a short lifetime compared to the Facebook account details.

By: Richard

Richard — Fri, 09 Oct 2009 10:15:54 +0000

Hi Andrei,

Thanks for the results link. Pretty worrying that only 3 found it. I guess that most of the vendors will be pretty quick at updating their definitions though.

By: target

target — Thu, 08 Oct 2009 18:29:38 +0000

thx for the info,

I’m a victim of this action, I guess that number 2. is the case, because I haven’ t been on facebook für a couple of weeks now, so I can’ t how anybody could get my user dates.

By: Andrei Zammit

Andrei Zammit — Thu, 08 Oct 2009 15:30:28 +0000

Hi Richard,

You can see the complete virus analysis report using this link here: http://www.virustotal.com/analisis/a9e1cdfec232a094e09518e1909705e8d3e5d4c8db2dae1d42561dae75140d20-1254934621

This report also includes which AntiVirus engines managed to detect the malware.

Our product, GFI MailSecurity, is a mail security server for IIS, MS Exchange and Lotus Domino. This implies that GFI MailSecurity will filter any emails hitting your orgainization which have malicious content. More information can be found here: http://www.gfi.com/mailsecurity

By: Richard

Richard — Thu, 08 Oct 2009 12:11:04 +0000

Thanks for the advice. Nice to see you guys are on top of this.

Out of curiosity, which 3 of the 41 AV’s picked up the malware?

Also, looking forward to your anti-virus solutions later this year, sound interesting? Will there be a beta for people to try out? (interface, CPU and RAM load etc)

Richard