A new Trojan has been caught galloping throughout the worlds largest social network, Facebook, infecting more than 110,000 users in the past 48 hours.
The unnamed malware was found spreading itself by posting automated links to an alleged porn video from an account of a previously infected user. The malware will automatically post status updates and tag no more than 20 friends in the post with along with an infected link. Upon opening the malicious link, a video begins to play but suddenly stops, prompting the user to install a fake Adobe Flash player for the video to continue. Loaded inside the fake flash player is a Trojan downloader.
Security researcher Mohammad Reza Faghani posted his findings upon his initial investigation, Faghani revealed the malware can manipulate keystrokes and mouse movement in real time. He also found one way for users to identify if they have been infected, saying if Chrome.exe is running in the Windows processes. Meaning hackers have cleverly masqueraded the file to appear as the Google Chrome browser.
Unlike commonly seen Facebook malware, the Trojan uses a technique Faghani is calling “Magnet,” which is posting the link publicly rather than spreading the malware through private messages as commonly seen.
While the malware creates the malicious post and tags multiple friends, the content becomes more visible and spreads to not only those tagged in the photo, but also to their friends as well. Faghani says this allows more the malware to spread far more efficiently.
Faghani said that he is still in the process of analyzing the malware, and that he will continue to post updates on the Full Disclosure list as details surface.
The MD5 hash of the fake Flash Player is “cdcc132fad2e819e7ab94e5e564e8968.” The SHA1 hash of the file is “b836facdde6c866db5ad3f582c86a7f99db09784.” Faghani also noted the malicious file drops the chromium.exe, wget.exe, arsiv.exe and verclsid.exe as it runs, while connecting to both www[dot]filmver[dot]com and www[dot]pornokan[dot]com.
Facebook has reported they are aware of the current threat and are working to block the perpetrator/s.
Steps you can take to prevent from becoming infected with the fake Facebook Flash Player virus:
- Be careful when clicking on links from Facebook, Twitter, Google, and Instagram.
- Do not install any browser extensions sites may claim to require.
- Blacklist the two websites the malware connects to.