Pierluigi Paganini January 30, 2015

Security researcher is investigating in a new strain of Facebook Trojan that in just two days has already infected 1110,000 Facebook users.

Social networks represent a privileged attack vector for malware-based attacks, a recent investigation conducted by by the security researcher Mohammad Faghani revealed the existence of a Trojan is circulating among Facebook users. According to the researcher, the Trojan has already infected nearly 110,000 Facebook users in two days by spreading itself through malicious link.

Faghani explained that the Facebook Trojan spreads itself by posting links to a pornographic video from the account of unaware victims that have been previously infected.

The trojan tags the infected user’s friends in an enticing post. When users open the post, the user will see a preview of a porn video which eventually stops and asks for downloading a (fake) flash player to continue the preview, unfortunately the bogus application is the downloader of the Facebook Trojan.

Faghani is still investigating on this Facebook Trojan and will provide further details via Full Disclosure in the next weeks.

The MD5 of the executable file (fake flash player): cdcc132fad2e819e7ab94e5e564e8968

The SHA1 of the executable file (fake flash player): b836facdde6c866db5ad3f582c86a7f99db09784

The fake flash file drops the following executables as it runs: chromium.exe,

• chromium.exe
• wget.exearsiv.exe,
• arsiv.exe
• verclsid.exe.

Pierluigi Paganini

(Security Affairs – Facebook Trojan, social network)