Facebook, Fake AV and Friends

We’ve seen an increasing amount of Facebook worms over recent months, and the last few variants have started to reference other social networking sites, including MySpace. I saw the move to a broader spectrum of targets mirrored when I was investigating the following chain, and it led me to believe there’s a link between these worms and the current plague of “fake anti-virus” (aka “fake AV”) Trojans.

The chain starts off when you receive a message from someone you know in Facebook. The one I saw last week looked like this:

{your friend’s name} sent you a message.

Subject: is it u there?


As you can see, the Facebook link is trying to direct you to a page that’s been cached in Google. In this instance Facebook actually knows that this isn’t a site you shouldn’t be visiting, and displays the following (click the image to expand it):

Facebook, Fake AV and Friends 1

Still, I wanted to know what was there, so I jumped directly to the cached page. On first glance it looked innocuous enough, but on closer inspection of the source code it was a site that had been the subject of SQL injection, and was detected by us as Mal/BadSrc-C. The point of the injection was to redirect visitors silently to another site, and this is what I found there:

Facebook, Fake AV and Friends 2

This script (detected by us as Mal/JSRedir-A) uses document.referrer to see what site directed you there, and it then passes you on to a different page accordingly. Which means that someone sent here after they clicked a link in Facebook will end up being shown a different page to someone who clicked on the same link in MySpace.

At the moment the sites pointed to all then take you via a 302 redirect to the same payload, but I’d expect to see people being filtered by the page to more targeted code soon. For now the page they point to is of the good old-fashioned “here’s a video, download a codec or software update so you can view it properly”. In this instance it’s trying to get you to install flash_update.exe, and the video it’s trying to show you is porn – I’ll visit it from a browser without Flash installed to spare you the gory details:

Facebook, Fake AV and Friends 3

We detect this page as Mal/VidHtml-A and flash_update.exe as W32/Koobfa-Gen – running that executable gives you the following fake error message (because doing nothing at all would be suspicious):

Facebook, Fake AV and Friends 4

Meanwhile in the background the worm starts running … and so the cycle begins again.

I promised to tie this together with the fake anti-virus Trojans, and so here goes: if I visit the root domain of the Mal/JSRedir-A page, I get a different variation of the “view this video” page, this one detected as Mal/VidHtml-B:

Facebook, Fake AV and Friends 5

This page redirects me to another one, detected as Mal/VidHtml-C, which tries to download an executable called setup.exe from yet another remote location. This file is detected as Mal/EncPk-GA, and instead of being a Facebook work, this is a fake anti-virus Trojan – in fact it’s a component of the Zlob family, which is one of the oldest strains of this phenomenon.

Seeing different types of malware hosted on the same sites isn’t all that uncommon, and we’ve seen instances of quite varied families being seen together. This particular chain incorporates many of the major threats we’ve been seeing recently, allowing us (to some extent) to plot out a better map of who’s responsible for what – in this case, SQL injection, bogus video sites, fake anti-virus software, and Facebook worms. The addition of targets including MySpace, Bebo, hi5, and GeoCities shows the direction these particular malware authors seem to be heading.