US attacks Iran and Saudi Arabia? Malware spreads via Facebook status updates

Filed Under: Adobe Flash, Facebook, Malware, Social networks, Spam

TankBeware of malware lurking on news websites claiming to containing breaking news stories.

Naked Security has seen a worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia in a move heralding the beginning of World War 3.

Well, that would certainly get your attention, wouldn't it?

A typical status message looks like the following:

U.S. Attacks Iran and Saudia Arabia. Fuck :-( The Begin of World War 3?

U.S. Attacks Iran and Saudia Arabia. F**k :-( [LINK] The Begin of World War 3?

If you visit the link mentioned in the status update, you are taken to a fake CNN news webpage which claims to contain video footage of conflict.

Fake CNN webpage

However, clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash.

Malicious download posing as Flash update

Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website.

The malware - which Sophos detects as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J.

Within the first three hours of this malware campaign, some 60,000 Facebook users had been duped into visiting the malicious link.

What isn't entirely clear at this point is how the message is being shared by so many Facebook profiles.

Regular readers may recall how Facebook users were hit by hardcore porn, violence and animal abuse images late last year. Ultimately, Facebook claimed that the messages were being spread via a self-XSS browser vulnerability.

It's possible that malicious code on users' computers is sending the message to Facebook without users knowing. To be on the safe side, you should scan your computer with up-to-date anti-virus software and ensure you have the latest security patches in place.

If you use Facebook and want to get an early warning about the latest malware attacks, scams and hoaxes, you should join the Sophos Facebook page where we have a thriving community of over 160,000 people.

, , , , , , , ,

You might like

20 Responses to US attacks Iran and Saudi Arabia? Malware spreads via Facebook status updates

  1. Sam · 1341 days ago

    With this kind of trouble on the dramatic increase you really have to wonder how long Facebook will last. $100 billion? No way! Zuck should take the money and run for the hills before the investors realise what suckers they've been!

  2. Richard · 1341 days ago

    "The Begin of ..."

    Nice to see the usual level of English from the malware authors.

    • AJH · 1338 days ago

      Nah, it wasn't that the malware authors can't speak, they were just trying to fit in with the average facebook junkie.

  3. Vicki · 1339 days ago

    No Facebook for me! Too many privacy concerns and viruses; however, I do realize I am in a minority.

    • Nigel · 1338 days ago

      Those who make intelligent choices are always in the minority, Vicki.

  4. Roland · 1338 days ago


  5. Ant · 1338 days ago

    Snow ?!?!?

    • 4caster · 1338 days ago

      The mountainous north and west of Iran gets quite a lot of snow, but an attack would not begin there!

  6. antisocial · 1338 days ago

    Right there with you. I refer to it as FaceF**k...

  7. metoo · 1338 days ago

    something new!, a windows virus.

  8. Runaway1956 · 1338 days ago

    That does it - I'm upgrading to Linux! This crap doesn't run on Linux, and "updates" for Flash, or anything else, are available from trusted repositories.

    • Guesty McGuestelson · 1338 days ago

      Don't you mean downgrade to Linux? Nobody intentionally installs Linux on their PC unless they are nerds. Even Android phones are ashamed of their nerd background.

      • Steve · 1338 days ago

        Or they're sick of a worthless operating system like Windows.

  9. bill stickers · 1338 days ago

    Is it snowy in iran?

  10. Zuckie · 1338 days ago

    Malware is part of the social experience that binds people on Facebook together.

  11. mike · 1338 days ago

    I love malware, tastes like chicken!

  12. Guest · 1338 days ago

    No it's not snowy in Iran, that's silly, that's a US tank firing from New Jersey!

  13. Bill Caelli · 1338 days ago

    Well - the overwhelming evidence for the need for rapid introduction of DNSSEC globally is now here. 2011 was a watershed! The end-user must have confidence that the Internet site they are visiting is the one they intended...after all, isn't that the way with our ordinary telephone? We trust the telephone exchange - we must now TRUST the DNS. Will it require legislation to make this happen - I am afraid si given the "snail pace" of DNSSEC deplyment.

    • amused · 1337 days ago

      this exploit had nothing to do with DNS security. zero, zilch, nada. Bill you either have: 1) no clue as to what you're talking about, or 2) such an interest in DNSSEC deployment you would be willing to make such a foolish statement in the hopes that it will somehow compel folk to urging along it's progress.

      I would suggest another approach you may find emminently more rewarding: 3) take a piss in the wind. It may not help the deployment of DNSSEC but at least you may end up with a warm feeling and don't have to lie to get it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley