This article is more than 1 year old

Does your mate send smut vids on Facebook? 1. That's a bit weird. 2. It may be malware

PwC bod warns of fake Flash upgrades doing the rounds

A security researcher is warning of an ongoing attack against Facebook users in which a phony Flash Player download tries to take over their computers.

The distribution mechanism is fairly commonplace – a video message purporting to be pornography is sent to someone on Facebook, and suggests a Flash upgrade is required to play the grumble flick.

The user is tricked into downloading a plugin that is in fact malware, which then spams itself out to the user's friends list and installs a keylogger to capture useful information – like webmail and bank account passwords.

"We have been monitoring this malware for the last two days. It could infect more than 110,000 users only in those two days and it is still on the rise. This malware keeps its profile low by tagging fewer than 20 users in each round of posts," said Mohammad Faghani, a senior consultant at PricewaterhouseCoopers, in a mailing list post to the Full Disclosure infosec hangout – albeit using his personal email account.

"In the new technique, which we call it 'Magnet,' the malware gets more visibility to potential victims by tagging the friends of the victim in the malicious post. A tag may be seen by friends of the victim's friends as well, which leads to a larger number of potential victims. This will speed up the malware propagation."

Once installed on a Windows PC, the malware harvests the user's data and tries to communicate with the server behind the filmver.com and pornokan.com domains for more instructions.

According to samples submitted to antivirus engines, the software nasty is called "bon joueur" and uses the Windows Registry to start up whenever the user logs in. It calls itself Chromium.exe and Google Chromium, and is known to AV software as a generic dropper: that means it probably downloads more malware to install, such as the keylogger, once it's running.

Quite where that 110,000 figure comes from is unclear, however, since counting malware infections is notoriously tricky. It looks likely to be a somewhat overoptimistic figure – scams like this are not uncommon and computer users are getting wise to them.

Facebook has also been making serious efforts to deal with malware being spread on its platform. Its in-house security team regularly conducts penetration testing against other departments and the company even had a wall of shame for staff who had been caught out.

"We use a number of automated systems to identify potentially harmful links and stop them from spreading," Facebook told The Register in a statement.

"In this case, we're aware of these malware varieties, which are typically hosted as browser extensions and distributed using links on social media sites. We are blocking links to these scams, offering cleanup options, and pursuing additional measures to ensure that people continue to have a safe experience on Facebook." ®

More about

TIP US OFF

Send us news


Other stories you might like