Facebook unnamed app: Hackers poison search results

Thanks to Clu-blog reader Jamie for contacting me regarding a scare that is currently spreading bewteen Facebook users.

 

Users of the social-networking site are warning each other of what is rumoured to be a rogue application, spying on their activities on Facebook. Users are told in the warning that they can find the “Unnamed app” by going to “Settings”/”Application Settings” and then choosing “Add to Profile” from the drop-down box.

 

Here’s a typical example of the message that is being passed around:

ALERT >>>>> Has your facebook been running slow lately? Go to "Settings" and select "application settings", change the dropdown box to "added to profile". If you see one in there called "un named app" delete it... Its an internal spybot. Pass it on. about a minute ago...i checked and it was on mine.

Sure enough, when I went to look on a Facebook account I found an “Unnamed app”:

However, I’m not seeing any evidence that the application is malicious. Indeed, it seems to me that the only sin it may have committed might be to have been given a daft unhelpful name. According to Facebook itself, it appears to be a buggy presentation of the boxes tab that appears on users’ Facebook profiles.

 

Of course, news of the “dangerous” app is spreading more quickly than the sensible advice for everyone to calm down and have a nice cup of tea. And, as a result, many people are searching the internet trying to find clues about the Facebook application.

 

It is at this point that the malicious hackers enter the story.

 

Just as they have done with other Facebook scares (like the Facebook Fan Check Virus scare and the Error Check System application), hackers have created webpages stuffed with keywords related to the “Unnamed” (sometimes “Un named”) app.

 

This and other search engine optimisation (SEO) techniques have helped hackers push their webpages high into the upper reaches of search results.

 

And if you happen to stumble across one of these malicious sites after searching for information about the “Facebook Unnamed app” you might find yourself infected by fake anti-virus software, designed to trick you out of your hard-earned cash.

 

Sophos detects the malware seen on these infected webpages as Mal/FakeVirPk-A.

 

By Graham Cluley, Sophos

 

 

8 Things You Probably Didn’t Know About KOOBFACE

You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

 

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot!
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware.
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware.
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked.
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

 

by Ryan Flores from trendmicro