A mass operation is underway to infect several thousands of computers worldwide. The attack from the malware writers is taking place from various sources using an array of different techniques. Information regarding this attack until now is very limited however the following is the current situation as we know it:
Run 1: Facebook.com wall posts
Several users have reported that ‘someone’ posted weightloss messages on their friends’ walls. There text of the message varies with the following three being the most common:
Wow, this woman’s story has inspired me to lose weight facebookhealth4.com
I stumbled across this woman’s weight loss blog today, really interesting facebookhealth5.com
These things must work well for losing weight, check out this woman’s blog and what she did facebookhealth4.com
There are three possibilities how this might have been achieved:
- A number of Facebook accounts were compromised via a direct attack on Facebook.com (lowest possibility).
- Malware writers discovered a way to directly post on Facebook users’ walls without their knowledge (might be a possibility).
- A Trojan was installed on the Facebook user’s machine stealing account login details (highest possibility).
Run 2: Facebookhealthx.com and wwwsecurityscan04.com
Just yesterday ten domains, Facebookhealth1.com to Facebookhealth10.com, were registered by a Chinese registrant carrying the name of TANGHUA. The contacts seem fake and both the Name Servers and IP are located in China. This simple public information already gives us the indication that these domains were created for the malicious activities.
These ten domains redirect immediately to another location hosted on wwwsecurityscan04.com. From the Whois record of wwwsecurityscan04.com, the registrant is an individual who makes use of dynamic DNS service but the contacts do not seem fake.
However, this domain was registered just yesterday, the same as the Facebookhealthx.com domains.
Run 3: Forum posts in various small websites
Fire up your favorite Internet browser and in Google enter “facebookhealth5”. You should receive a list of websites which host posts similar to those on the Facebook wall.
Any of these links will redirect you to a ‘free’ virus scan of your computer. What you would not expect is that malware will be installed.
Run 4: The rouge AntiVirus scan and malicious payload from wwwsecurityscan04.com
As soon as you are redirected to wwwsecurityscan04.com an animation of a rouge AntiVirus software is displayed. The animation is visually very well done and presented. It has the potential to easily fool uneducated users. The following screenshots show a complete run from the rogue AntiVirus software:
It is important to notice the long and complex URL being used to launch the fake AntiVirus scan (first screenshot under Run 4). If you visit wwwsecurityscan04.com (not recommended) nothing should happen and only some text will be displayed.
At the end of the AntiVirus scan by the animated screen, a dialog box requires you to download “Soft71.exe”; the malware. Do not expect that, if the Cancel button is pressed, you will be able to clear everything. The website together with the animation leaves no simple escape route.
I have uploaded the malware to VirusTotal.com for analysis. As at today, 07 October 2009, ONLY 3 AntiVirus Engines out of 41 managed to detect the malware. These engines power your desktop AntiVirus software and those of your place of work. This illustrates how prone we all are to malware and the risks that we all encounter when we do not think about our actions. Just imagine the consequences had you clicked on the malicious link whilst at work. This is the permalink for the VirusTotal analysis.
Run 5: Malware activity
Until now I do not know exactly which activities “Soft71.exe” (the malware) performs on a computer. To understand the actions of the malware, the executable must be disassembled and run under a controlled environment monitoring the changes being performed.
However, it seems that this malware would be writing a number of registry keys and also downloading other malware from the Internet.
The possible malware attacks and how they are orchestrated are next to infinite. We must always be a step ahead of malware writers and, apart from keeping all machines secure and safe, we must ensure that all users are educated. This is valid advice both at the workplace and at home. A weak link in the chain may cause irreparable damage.
As we have seen there are occasions where the machine and software will not defend our resources. Education will always be the key to success against such criminal activity.