Thursday, January 17, 2013

Facebook Malware campaign

We're seeing a massive campaign of malware distribution through Facebook look-a-like pages that started just before the new year.
Malicious page distributing malware
T

hese pages are using the free DNS and hosting provider .tk. This provider has been used for many spam and malware campaigns in the past. Here are some of the domains used:
janejcfprofile.tk
natalieclolyu.tk
rosemaryrloveyouur.tk
sabrinadjoyys.tk
catherineufcitisfun.tk
rosemaryiiqsuper.tk
laurenaensweety.tk
carlyqwowdv.tk

So far, we've seen several hundred of such sites. They prompt the user to download a file with various names, such as:
YouWhoreGIF.exe
YouNiceJPG.exe
IamNiceBMP.exe
IamNicePNG.exe
YouFunnyJPEG.exe
IamLolBMP.exe
and may more





Only 1 AV vendor detects them as malicious at this time!




Looking at the source code, all the .tk domains load their content from another website through an IFRAME, with content from:
liwwh.eqeki.com
ngdy.hrdhm.org
lsmxz.totyn.net
cnpz.nukoq.com
...

These pages then redirect to a third URL on 208.131.138.217, hosting the malicious executable:
208.131.138.217/132.html
208.131.138.217/208.html

The malicious file is generated by http://208.131.138.217/imagedl.php.




As usual, do not run files downloaded on random Internet pages.

No comments:

Post a Comment