ritchie58 Posted May 13, 2013 Report Share Posted May 13, 2013 We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox. When installed, it attempts to update itself using the following URLs: Chrome browser: du-pont.info/updates/<removed>/BL-chromebrasil.crx Mozilla Firefox browser: du-pont.info/updates/<removed>/BL-mozillabrasil.xpi Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A. To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do. Depending on the file, this malware can do any of the following in the Facebook profile of an infected system: Like a page Share Post Join a group Invite friends to a group Chat to friends Comment on a post At the time of writing this blog, we have also seen the following behavior. The configuration file contains a command to post the following message in Facebook: GAROTA DE 15 ANOS VÃ?TIMA DE BULLYING COMETE SUICÃ?DIO APÓS MOSTRAR OS SEIOS NO FACEBOOKVìdeo no link abaixo:<Currently unavailable link> It is written in Portuguese and here’s an English translation: 15 YEAR-OLD VICTIM OF BULLYING COMMITS SUICIDE AFTER SHOWING HER BREASTS ON FACEBOOK.Video on the link below: <Currently unavailable link> The above URL is unavailable and already blocked by Facebook. We also found this threat tries to "like" and "comment" on a Facebook page: It also attempts to comment on a post from this Facebook page with one of the following messages, written in Portuguese: Tenha um Celta 0km pagando R$13,00 por dia!!English translation: Get a brand new Celta paying R$13 per day!! Concurso valendo um Vale-Compras de R$1000,00!English translation: R$1000-voucher contest! Note: This message may vary depending on the configuration file.As we can see on the Facebook page, there’s a link that has been shared with about 165 comments and 167 likes. There is a possibility that these people are infected with Trojan:JS/Febipos.A. This trojan may also send out the following message via chat, posts or comments: Desculpa ai galera, mas isso eh um absurdo!!!English translation: Sorry guys, but this is ridiculous!!! Sonzinho sensação do momento. Muito show!!English translation: The coolest tune at the moment. It’s really nice! LÃo Max e Renan - Rebolada de Gama (Clipe Oficial)English translation: <song title> (Official Clip) Eu, não tenho carro do ano, não tenho grana sobrando, mas chego junto e...â«â«English translation: I don’t have a new car, I don’t have spare cash, but I get really close... It may also post links on Facebook profiles. For example, the posted link from the Facebook page in the image above redirects to a website that sells cars. At the time this blog was written, there were more users “liking” and “commenting” on the Facebook page that this malware uses – so there’s a possibility that there are more people continuing to be infected. The number of “likes” for this page grew as we analyzed this malware. When we began analysis the page statistics looked like this: Facebook page likes: 2,746 Facebook shared link likes: 167 Number of comments: 165 After several hours this had risen to: Facebook page likes: 3,177 Facebook shared link likes: 201 Number of comments: 183 All of the information above is what we found at the time of our analysis. There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection. Jonathan San Jose MMPC Here is a related article from CNET: http://news.cnet.com/8301-1009_3-57584111-83/microsoft-warns-of-new-trojan-hijacking-facebook-accounts/?tag=nl.e757&s_cid=e757&ttag=e757 Link to comment Share on other sites More sharing options...
Zurchiboy Posted May 13, 2013 Report Share Posted May 13, 2013 This piece of malware can hijack the users profile and use it to post and chat with others? does immenet detect this? Link to comment Share on other sites More sharing options...
ritchie58 Posted May 14, 2013 Author Report Share Posted May 14, 2013 That was the reason for the posting. To inform Immunet Forum members and to make sure that this malware's defination signature is added to the database. Link to comment Share on other sites More sharing options...
Zurchiboy Posted May 14, 2013 Report Share Posted May 14, 2013 Would a strong HIPS be able to protect this. Link to comment Share on other sites More sharing options...
ritchie58 Posted May 15, 2013 Author Report Share Posted May 15, 2013 That's hard to say if a HIPS program would detect this Trojan since it's disguising itself as a browser extension. It may go undetected since it's working from within the browser itself as a seemingly legitimite extension checking for updates. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.