According to xssed.com  a new XSS flaw is just found in Facebook on January 28, 2011. This vulnerability leaves users at risk of scripting attacks and logins phishing. Here is a harmless proof of concept:

https://m.facebook.com/c.php?email=<script>alert(‘Facebook XSSed’)</script>

Attackers can trick users into accessing fake login sites or lead them to other websites installed with malicious code.

Demo of Facebook affected by XSS vulnerability

Currently, this vulnerability has not been fixed yet. Thus, users should take caution when using Facebook.
Yesterday, January 27, 2011, another XSS vulnerability was also found in Facebook. However, this flaw has been fixed. XSS is the major vulnerability that Facebook has encountered in the recent years.

Bkis

For the past few days, many users have fallen victim to a new kind of trick.

Virus is activated when the users run a file whose icon is identical as some popular video player software. Users’ computers are rendered useless by a kind of Trojan; and their machines are only able to be used again if the victims have the password to unlock their computers. They get the passwords by sending an SMS to a phone number at the cost of 400 roubles. If the password is correct, the victims will gain back their computer control. Actually, many users followed that way to escape the trouble.

The Trojan employs quite a simple technique. It draws windows on the computer screen; these windows are set at TOP MOST, and are displayed in MAXIMIZE mode for full-screen display . Trojan also sets a timer in its program. According to its cycle, Trojan continuously sets its windows at TOP MOST so that such windows are always displayed before other programs’ windows. Thus, users are unable to manipulate with the remaining windows until they enter the correct password to unlock their computers.

Once infected, a notification as below will appear on victim’s computer screen:

The content of the notification:
Attention:
Your system is blocked because you have violated the Internet usage regulations possibly for the following reasons: Accessing porn websites, recording porn video files. This block is to prevent the spread of the erotic content from your personal computer to the Internet.

To remove the block, you need to:
Charge 400 roubles to a Beeline phone account (89654031266). After that, you will receive the password to unlock your computer.

After removing the block, you have to remove all the illegal content in your computer. If you refuse to charge to the given account, it’s your second violation; and all of your data will be deleted without being able to be restored because your computer is a threat to the Internet.

Bkav detects these Trojans as W32.FakePornC.Trojan and W32.FakePornA.Trojan, which belong to W32.FakePorn.Trojan family.

Prevention:
Password to unlock infected computers can be found easily on the Internet in some forums. You can find the password with hacker’s phone number. If you are lucky enough, you can find the right password to unlock your computer.

To stay away from such kind of virus, users are recommended not to open attached files of unknown origin, particularly executable files (.exe files). Do not visit malicious websites, websites with erotic content. Update your antivirus software on a regular basis.

Nguyen Hong Quang
Malware Researcher