Facebook worm targets Mac and Windows users (June 1, 2011)

SonicWALL UTM found reports of a new Facebook malware targeting Mac OS X and Windows users. The malware is actively spreading via a fake viral video utilizing through Facebook at the time of writing this alert.

A few weeks back we saw the first Rogue AV malware targeting Mac & Windows users via poisoned Google search results. This is the first instance of Facebook clickjacking worm targeting Mac and Windows users alike via a fake controversial video claiming to be of IMF boss Dominique Strauss-Kahn. The video is in reference to the news story that made headlines a few weeks back. This is a classic example of malware authors utilizing social engineering techniques to target large number of users via social media.

If a Mac user clicks on the video, it will redirect the user to a Fake AV landing page that will run an animation showing Apple security center malware scanning and eventually fake infections. It then prompts the user to download and install Rogue AV in order to clean up the infections as seen below:

Besides displaying Fake infection alerts, it also randomly opens pornographic websites in the browser from a predetermined list. This Rogue AV is similar in functionality to MACDefender except that it does not prompt the user for an administrator password in order to install. We were also able to confirm that this new Rogue AV variant evades the latest Apple security update .

If a Windows user clicks on the video, it will redirect the user to a fake YouTube look-alike site and prompts the user with a fake message to update Adobe Flash player in order to view the video. The user will download and install a Trojan executable if he runs the Flash update from that site as seen below:

The dropped malware files for both Windows and Mac have a very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: MacDefender.A (Trojan)
• GAV: MacDefender.FB (Trojan)
• GAV: MalAgent.E_8 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.