Facebook Malware infected more than 110K users and is still rising

A new Facebook Malware in the form of a Trojan is infecting hundreds of thousands of  Facebook users in only two days.

The trojan works by tagging the infected user’s friends in an enticing post. When they open the post, the user will get a preview of a porn video which plays for a short while before stopping and asking the user to download a (fake) flash player to continue the preview. The fake flash player is the downloader of the actual malware.

This trojan is slightly different from previos social network related Malware. For example, the previous trojans sent messages (on behalf of the victim) to the victim’s friends. When the friends were infected, the malware could go one step further and infect the friends of the initial victim’s friends.

In the new technique, which has been coined by Seclists as “Magnet”, the malware gets more visibility to the potential victims as it tags the friends of the victim in a the malicious post. In this case, the tag may be seen by friends of the victim’s friends as well, which leads to a larger number of potential victims. Thus speeding up malware propagation.

There is an temporary solution for identifying the Malware from Seclist, this information might come in handy:

The MD5 of the executable file (fake flash player):
cdcc132fad2e819e7ab94e5e564e8968
The SHA1 of the executable file (fake flash player)
: b836facdde6c866db5ad3f582c86a7f99db09784
The fake flash file drops the following executables as it runs:
chromium.exe, wget.exe, arsiv.exe, verclsid.exe.

The malware is able to hijack keyboard and mouse movement from an initial investiagation from Seclist.

Keep visiting