good one ... On Fri, Jan 30, 2015 at 9:57 AM, Srinivas Naik <[email protected]> wrote:
> Source: Full Disclosure > > A new trojan is propagating through Facebook which was able to infect more > than 110,000 users only in only two days. > > *Propagation*: > The trojan tags the infected user's friends in an enticing post. Upon > opening the post, the user will get a preview of a porn video which > eventually stops and asks for downloading a (fake) flash player to continue > the preview. The fake flash player is the downloader of the actual malware. > > *Background*: > We have been monitoring this malware for the last two days where it could > infect more than 110K users only in two days and it is still on the rise. > This malware keeps its profile low by only tagging less than 20 user in > each round of post. > > This trojan is different from the previous trojans in online social network > in some techniques. For instance, the previous trojans sent messages (on > behalf of the victim) to a number of the victim's friends. Upon infection > of those friends, the malware could go one step further and infect the > friends of the initial victim's friends. > > In the new technique, which we call it "Magnet", the malware gets more > visibility to the potential victims as it tags the friends of the victim in > a the malicious post. In this case, the tag may be seen by friends of the > victim's friends as well, which leads to a larger number of potential > victims. This will speed up the malware propagation. > > *Things to know:* > The details of this analysis will be posted here later. However for an > interim solution, this information might come in handy: > > The MD5 of the executable file (fake flash player): > cdcc132fad2e819e7ab94e5e564e8968 > The SHA1 of the executable file (fake flash player) > : b836facdde6c866db5ad3f582c86a7f99db09784 > The fake flash file drops the following executables as it runs: > chromium.exe, wget.exe, arsiv.exe, verclsid.exe. > > The malware is able to hijack keyboard and mouse movement (at initial > investigation) > > Existence of the chromium.exe in the Windows processes, is an Indication of > Compromise (IoC). The malware tries to connect to the following network > upon execution: > > www.filmver.com and www.pornokan.com > > > Kind Regards > Mohammad R. Faghani > > > --------------- > > > -- > You received this message because you are subscribed to the Google Groups > "NFORCEIT" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/nforceit. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Raghu "Life is like Graph theory we have to find the right node to reach your destiny at earliest -RD" -- You received this message because you are subscribed to the Google Groups "NFORCEIT" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send an email to [email protected]. Visit this group at http://groups.google.com/group/nforceit. For more options, visit https://groups.google.com/d/optout.
