Facebook botnet: Is your computer helping it?

Discuss whatever you like here! ( ...that's not spam!)

Moderators: Support Staff², Support Staff, AvantGuard, Developer

Post Reply
User avatar
MysteryFCM
Administrator
Administrator
Posts: 7330
Joined: Tue Dec 09, 2003 2:34 am
Windows Version: 10, 8.0, 8.1, 7, Vista, XP
Avant Version: 13.00 Build 23
Default engine: Gecko
IE Version: 7.x, 8.x, 9.x, 10.x, 11.x
Skin: AthenX
Location: Newcastle Upon Tyne, UK
Contact:

Facebook botnet: Is your computer helping it?

Post by MysteryFCM » Thu Nov 26, 2009 5:46 pm

Facebook botnet: Is your computer helping it?
I've just received several more Facebook e-mails that point to URL's hosted on a botnet, and both steal your information, load an iFrame to an exploit, and finally, offer you an "update tool", that is the well known Zbot infection.

Sadly, Outlook 2007 isn't letting my Outlook Export application work properly, so I've had to grab the IP's and such manually (well, via hpObserver ;)).

hpObserver Results
http://hosts-file.net/misc/hpObserver_R ... otnet.html

The URL's

The URL in the e-mail, points to the following;
Read more
http://hphosts.blogspot.com/2009/11/fac ... puter.html

addonsfan
Avantic Elite
Avantic Elite
Posts: 1940
Joined: Sun Aug 05, 2007 11:56 am
Windows Version: Windows 7
Avant Version: N/A
IE Version: N/A
Location: California, USA
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by addonsfan » Fri Nov 27, 2009 7:53 pm

Someone I know who uses Facebook came to me, and ask me to check out an email for her. It was an email informing her that she had a new message from one of her well known friends, but in the preview of the message (from within the email), she was alarmed to see that something just wasn't right. The writing style (puncuation, unusual typos, etc) was completely different. I investigated it a little bit, and it was an actual email address from Facebook.com. But the friend id within the URL was different, so this wasn't her friend's actual page. I went to the link, but it had taken down by Facebook.

Know anything about this type of attack? I'm just assuming that the link was a spoofed login field that actually pointed somewhere else, but the link had been taken down before I could get a look... So it remains just an assumption.

User avatar
MysteryFCM
Administrator
Administrator
Posts: 7330
Joined: Tue Dec 09, 2003 2:34 am
Windows Version: 10, 8.0, 8.1, 7, Vista, XP
Avant Version: 13.00 Build 23
Default engine: Gecko
IE Version: 7.x, 8.x, 9.x, 10.x, 11.x
Skin: AthenX
Location: Newcastle Upon Tyne, UK
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by MysteryFCM » Fri Nov 27, 2009 8:10 pm

Can you fire me a copy of the email? (Facebook phishing and exploit is nothing new, but there's a ton of variants, including a variant along the lines of the one you mentioned, the newer ones however, lead to exploits and Zbot)

addonsfan
Avantic Elite
Avantic Elite
Posts: 1940
Joined: Sun Aug 05, 2007 11:56 am
Windows Version: Windows 7
Avant Version: N/A
IE Version: N/A
Location: California, USA
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by addonsfan » Sun Nov 29, 2009 2:21 am

I sent you a copy... which reminded me, it wasn't a link to her profile, and was a link saved by Facebook. I guess whenever a link passes through Facebook server, it's logged and moderator later. Imo, would be better to display a splash page say, "You are now leaving Facebook" with a link to continue. I think that's what Myspace did to solve this.

edit:
Forgot to hit send, then realized I can't send messages with URLs via PM on this forum. I'm going to send the copy from the "contact us" page on your site.

User avatar
MysteryFCM
Administrator
Administrator
Posts: 7330
Joined: Tue Dec 09, 2003 2:34 am
Windows Version: 10, 8.0, 8.1, 7, Vista, XP
Avant Version: 13.00 Build 23
Default engine: Gecko
IE Version: 7.x, 8.x, 9.x, 10.x, 11.x
Skin: AthenX
Location: Newcastle Upon Tyne, UK
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by MysteryFCM » Sun Nov 29, 2009 1:18 pm

Received it, cheers :)

The link leads to malicious content hosted at;

Code: Select all

http://4di.info/308/
This leads to an exploit (Koobface from what I'm seeing) at;

Code: Select all

http://4di.info/308/?go
It's also related to the Blackhat SEO campaigns I've blogged about :)

addonsfan
Avantic Elite
Avantic Elite
Posts: 1940
Joined: Sun Aug 05, 2007 11:56 am
Windows Version: Windows 7
Avant Version: N/A
IE Version: N/A
Location: California, USA
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by addonsfan » Mon Nov 30, 2009 12:37 pm

LOL! Just installed HostsMan, installed all the hosts files from available services... hpHosts was clearly the largest. Nice work.

User avatar
MysteryFCM
Administrator
Administrator
Posts: 7330
Joined: Tue Dec 09, 2003 2:34 am
Windows Version: 10, 8.0, 8.1, 7, Vista, XP
Avant Version: 13.00 Build 23
Default engine: Gecko
IE Version: 7.x, 8.x, 9.x, 10.x, 11.x
Skin: AthenX
Location: Newcastle Upon Tyne, UK
Contact:

Re: Facebook botnet: Is your computer helping it?

Post by MysteryFCM » Mon Nov 30, 2009 4:39 pm

Cheers :)

Post Reply