12345

9/05/2012

[Caution] Spreading malicious files masqueraded as Facebook image.

1. Introduction

INCA Internet response team detected malicious files disguised as sent from Facebook. Facebook is a social networking service launched in February 2004, owned and operated by Facebook, Inc. As of June 2012, Facebook has over 955 million active users, more than half of them using Facebook on a mobile device. Security threats for SNS have been increased since the number of Facebook user has grown. Therefore, Facebook users need to understand these security threats and to be careful from attachment on e-mail. Because of social engineering, an understood to mean the art of manipulating people into performing actions or divulging confidential information, is consistently used, users need to be careful from malicious behaviors.



2. Spreading path

[Warning] Malicious e-mails disguising as image file were found.
http://en-erteam.nprotect.com/2012/07/warning-malicious-e-mails-disguising-as.html

[Warning] Malicious personal message from fake LinkedIn friend
http://en-erteam.nprotect.com/2012/06/warning-malicious-personal-message-from.html

[Warning] Malicious files are spreading through Facebook chat window
http://en-erteam.nprotect.com/2012/02/warningmalicious-files-are-spreading.html

Spreading fake e-mails from Twitter or Facebook have been being found on uncertain interval. It's really classical, though, it is the strongest way to spread malicious files. Reported case on Aug. 28, 2012 is as following.


To create and propagate malicious files are very intelligent. Following image was sent from on Aug. 29, 2012. Besides, receiver's mail address is hidden.


Each e-mail contains malicious file as a ZIP form, which name is "New_Photo_with_You_on_Facebook_PHOTOIDJKG3JSP0.zip" and "Your_Friend_New_photos-updates_id929690899.zip".

Each ZIP file contains executable malicious file.


It contains "New_Photo_with_your_friend_on_Facebook.jpeg.exe", "Your_Friend_New_Photos-and-Updates.jpeg.exe". If a user checked to hide known extension name, .exe will be invisible.


Upon executed malicious file, it will create "svchost.exe" on "All Users" folder and perform malicious behaviors such as collecting or leaking device info.


INCA Internet response team added these patterns to our AVS, so users are needed to update latest version for being safe from these malicious files.

3. Summary

Spreading fake e-mails from Twitter or Facebook are really classical, though, it is the strongest way to spread malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

2 comments: