US attacks Iran and Saudi Arabia? Malware spreads via Facebook status updates

Filed Under: Adobe Flash, Facebook, Malware, Social networks, Spam

TankBeware of malware lurking on news websites claiming to containing breaking news stories.

Naked Security has seen a worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia in a move heralding the beginning of World War 3.

Well, that would certainly get your attention, wouldn't it?

A typical status message looks like the following:

U.S. Attacks Iran and Saudia Arabia. Fuck :-( The Begin of World War 3?

U.S. Attacks Iran and Saudia Arabia. F**k :-( [LINK] The Begin of World War 3?

If you visit the link mentioned in the status update, you are taken to a fake CNN news webpage which claims to contain video footage of conflict.

Fake CNN webpage

However, clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash.

Malicious download posing as Flash update

Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website.

The malware - which Sophos detects as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J.

Within the first three hours of this malware campaign, some 60,000 Facebook users had been duped into visiting the malicious link.

What isn't entirely clear at this point is how the message is being shared by so many Facebook profiles.

Regular readers may recall how Facebook users were hit by hardcore porn, violence and animal abuse images late last year. Ultimately, Facebook claimed that the messages were being spread via a self-XSS browser vulnerability.

It's possible that malicious code on users' computers is sending the message to Facebook without users knowing. To be on the safe side, you should scan your computer with up-to-date anti-virus software and ensure you have the latest security patches in place.

If you use Facebook and want to get an early warning about the latest malware attacks, scams and hoaxes, you should join the Sophos Facebook page where we have a thriving community of over 160,000 people.

, , , , , , , ,

You might like

20 Responses to US attacks Iran and Saudi Arabia? Malware spreads via Facebook status updates

  1. Sam · 930 days ago

    With this kind of trouble on the dramatic increase you really have to wonder how long Facebook will last. $100 billion? No way! Zuck should take the money and run for the hills before the investors realise what suckers they've been!

  2. Richard · 930 days ago

    "The Begin of ..."

    Nice to see the usual level of English from the malware authors.

    • AJH · 927 days ago

      Nah, it wasn't that the malware authors can't speak, they were just trying to fit in with the average facebook junkie.

  3. Vicki · 928 days ago

    No Facebook for me! Too many privacy concerns and viruses; however, I do realize I am in a minority.

    • Nigel · 927 days ago

      Those who make intelligent choices are always in the minority, Vicki.

  4. Roland · 927 days ago

    Suckers...

  5. Ant · 927 days ago

    Snow ?!?!?

    • 4caster · 927 days ago

      The mountainous north and west of Iran gets quite a lot of snow, but an attack would not begin there!

  6. antisocial · 927 days ago

    Right there with you. I refer to it as FaceF**k...

  7. metoo · 927 days ago

    something new!, a windows virus.

  8. Runaway1956 · 927 days ago

    That does it - I'm upgrading to Linux! This crap doesn't run on Linux, and "updates" for Flash, or anything else, are available from trusted repositories.

    • Guesty McGuestelson · 927 days ago

      Don't you mean downgrade to Linux? Nobody intentionally installs Linux on their PC unless they are nerds. Even Android phones are ashamed of their nerd background.

      • Steve · 927 days ago

        Or they're sick of a worthless operating system like Windows.

  9. bill stickers · 927 days ago

    Is it snowy in iran?

  10. Zuckie · 927 days ago

    Malware is part of the social experience that binds people on Facebook together.

  11. mike · 927 days ago

    I love malware, tastes like chicken!

  12. Guest · 927 days ago

    No it's not snowy in Iran, that's silly, that's a US tank firing from New Jersey!

  13. Bill Caelli · 927 days ago

    Well - the overwhelming evidence for the need for rapid introduction of DNSSEC globally is now here. 2011 was a watershed! The end-user must have confidence that the Internet site they are visiting is the one they intended...after all, isn't that the way with our ordinary telephone? We trust the telephone exchange - we must now TRUST the DNS. Will it require legislation to make this happen - I am afraid si given the "snail pace" of DNSSEC deplyment.

    • amused · 926 days ago

      this exploit had nothing to do with DNS security. zero, zilch, nada. Bill you either have: 1) no clue as to what you're talking about, or 2) such an interest in DNSSEC deployment you would be willing to make such a foolish statement in the hopes that it will somehow compel folk to urging along it's progress.

      I would suggest another approach you may find emminently more rewarding: 3) take a piss in the wind. It may not help the deployment of DNSSEC but at least you may end up with a warm feeling and don't have to lie to get it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.