Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscribirse
Security Research

Facebook Malware Campaign

image
JULIEN SOBRIER
January 03, 2013 - 1 Min de lectura
We're seeing a massive campaign of malware distribution through Facebook look-a-like pages that started just before the new year.
 
Image
Malicious page distributing malware
These pages are using the free DNS and hosting provider .tk. This provider has been used for many spam and malware campaigns in the past. Here are some of the domains used:
  • janejcfprofile.tk
  • natalieclolyu.tk
  • rosemaryrloveyouur.tk
  • sabrinadjoyys.tk
  • catherineufcitisfun.tk
  • rosemaryiiqsuper.tk
  • laurenaensweety.tk
  • carlyqwowdv.tk
So far, we've seen several hundred of such sites. They prompt the user to download a file with various names, such as:
  • YouWhoreGIF.exe
  • YouNiceJPG.exe
  • IamNiceBMP.exe
  • IamNicePNG.exe
  • YouFunnyJPEG.exe
  • IamLolBMP.exe
  • and may more
Image

Only 1 AV vendor detects them as malicious at this time!

Looking at the source code, all the .tk domains load their content from another website through an IFRAME, with content from:
  • liwwh.eqeki.com
  • ngdy.hrdhm.org
  • lsmxz.totyn.net
  • cnpz.nukoq.com
  • ...
These pages then redirect to a third URL on 208.131.138.217, hosting the malicious executable:
  • 208.131.138.217/132.html
  • 208.131.138.217/208.html
The malicious file is generated by http://208.131.138.217/imagedl.php.

As usual, do not run files downloaded on random Internet pages.
form submtited
Gracias por leer

¿Este post ha sido útil?

Reciba las últimas actualizaciones del blog de Zscaler en su bandeja de entrada

Al enviar el formulario, acepta nuestra política de privacidad.