Banner
Evil Evil Facebook Messages PDF Print E-mail
Written by Robert Robert   
Friday, 26 March 2010 20:27

Evil Evil Facebook Messages... (3/26/2010)

Someone I know received a Facebook message from a friend, she thought it looked weird and sent it to me. This is the analysis I did on the link.

The message was just a link, but it didn't look like a link you are probably familiar with.

"hxxp://3569823810//cute.clips/?" (I've removed the string on the off chance they can trace it to the message :) )

This number, 3569823810 is actually an IP address in Decimal notation. Once you do the translation from Decimal to IP it's actually 212.199.48.66, which according to GeoIP is in Tel Aviv, Israel....

Once the original link is put into the browser (IE), the browser accepts the decimal ip value, and we are taken to a fake YouTube site. This site is humorous because it's called YuoTube (LOL). This site is hosted on a different ip than the first and seems to change on each call 88.186.204.57 and 99.92.176.9 were observed.

This site claims to have some great video but you are unable to view the video because you don't have the latest "Adobe Flash Player 10.37", and you have to click here to upgrade.

Once clicked, the site pushes a file called setup.exe (aren't they always..)
Size: 64,512 bytes

This program then starts talking out alot.

DNS: www.signyourweb.com = 81.223.238.227
DNS: norrbotten.adventkyrka.se = 212.112.177.130
DNS: saratogasteakhouse.com = 70.35.30.26
DNS: xboxfreegames.com = 195.5.161.128
DNS: wt-egypt.com = 67.228.194.20
DNS: brevard-fl.com = 209.114.220.8
DNS: www.shg-fibromyalgie.com = 81.223.238.227

And of course:
DNS: Facebook.com
DNS: www.Facebook.com
DNS: fbcdn.net

Some of the more interesting GET requests made.

GET /.sys/?Action=ldgen&
GET /.sys/?getexe=p.exe
GET /.sys/?getexe=hosts2.exe
GET /.sys/?getexe=go.exe
GET /.sys/?getexe=v2webserver.exe

More security people would automatically recognise this as Koobface, a program used to gather information about users and spread other malicious programs.

The sole purpose of this setup.exe is to go out and communicate with multiple Koobface infections across the globe and pull down whatever programs it's currently attempting to push, this could be keyloggers, fakeAV, or anything else.

This is very profitable for the groups running Koobface, because they can get paid to push a certain program to X amount of computers.

In short, if something looks suspicious on social networking, it probably is...

Share/Save/Bookmark