Recently, lots of Facebook users have been deluded into clicking on “Activate Dislike Button”.
Taking advantage of users’ desire for Facebook’s Dislike button, several spam messages about the activation of the Dislike button have appeared to take control of users’ Facebook accounts for spreading spam messages.

Spam message about “Activate Dislike Button”

If users click on “Activate Dislike Button”, their browsers will be redirected to http://lnktrn.ch/dislike, a fake Facebook’s page where users are requested to copy a code before executing it on their browsers to enable the “Dislike” button.

Immitating Facebook’s instruction

The code is in fact an encrypted Javascript one. Upon analysis, we found out that the code is tasked with sending spam messages to friends on the victim’s Facebook accounts. The messages say: “Facebook just <keyword>  dislike button! Click <onword>  ‘Activate Dislike Button’ below to enable it on your <apterm> !”. There, <keyword> is arbitrarily selected among the following: “added the”, “launched”, “released the”; <onword> may be either “on” or “On”; while <apterm> is a random word from “profile” and “account”.

The code to spread spam

Once the code is activated, the users’ Facebook accounts will be used to propagate similar spam messages.

Massive spam messages are sent from the victims’ accounts

Then users will be required to verify their accounts, another fake request, to enable the Dislike button.

Request to verify fake account

Once “Continue” button is clicked, users’ browsers will be redirected to http://lnktrn.ch/dislike/dislikebutton.php, a page that looks like an account verification page of Facebook. After analyzing the page, we saw that it executes a flash code. However, due to certain errors, the flash could not display its content. The flash may serve as a notice to trick users into entering their username and password to log into their Facebook accounts.

The content of http://lnktrn.ch/dislike/dislikebutton.php

Up till now, there haven’t been any signs that malware is spread through these spam messages. However, technically, this can totally be done with the use of the above mentioned Javascript code. Our HoneyPot system still keeps watching this fraud case.
To ensure the security of your account, you are advised to be cautious with similar messages, and only expect new function notices from Facebook’s official website.

Tran Minh Quang

Malware Researcher

Recently, our HoneyPot has collected a series of spam emails impersonating FBI (which appears to be sent from the address: info40121@fbi.gov) with threatening content, asking the recipient to open the attached file to answer certain questions.

Figure 1: Email content

When users open the attached file, which in fact is a Trojan. This Trojan will connect to the address http://vari[removed]tov.com/pusk.exe to download and execute another malware that is detected as W32.FakeFBIVariantovLT.Trojan by Bkav.

FakeFBIVariantovLT constantly displays notifications of hard drive failure:

Figure 2: Warning of hard disk drive errors

According to this warnings, the system seems to be in bad condition, and the data loss risk is visible. However, “the savior” immediately appears after that:

Figure 3: Interface of the “savior” WindowsRecovery

WindowsRecovery is said to help you fix these problems; accordingly, all your important data will be recovered. But you have to pay an amount to buy the license of this software.

Figure 4: Fake domain: windows-recovery.com accessed via a fake-Internet Explorer software

If you follow the fake software’s instructions, you have fallen victim to the bad guy’s scheme which is akin to the scenario of FakeAV, the fake antivirus software rampant recently. The difference is that this time the malware impersonates the recover software and issues warning of hard drive failure instead of software errors like usual, showing the changing scenario in bad guy’s scheme.
To ensure the comprehensive protection, users are recommended to use licensed antivirus software with regular updates.

Nguyen  Van Long

Malware researcher

General Information

sNews is a free content management system (CMS) written in PHP and MySQL. It is available at http://snewscms.com/. In April 2011, Bkis Security discovered an XSS (Cross-site Scripting) vulnerability in sNews CMS version 1.7.1. Taking advantage of this vulnerability, hacker might execute malicious code or get cookie of CMS’s administrator.

Technical Descriptions

XSS vulnerability exists in “reorder” functions of administrator: Categories reorder, Articles reorder and Pages reorder. Here, input variables are not adequately checked and filtered before querying the database. Then if a special character is added to the value, the SQL query will have wrong syntax, and the erroneous notification is displayed in the browser accompanied with the value of the erroneous variable and the erroneous query, causing XSS vulnerability.

It is the administrators that are affected by this vulnerability. With different scenarios, hacker is able to steal the Administrator’s cookie or redirect the browser to a malicious website, etc.

Solution

sNews’s development team has not issued the patches for this vulnerability yet. Thus, Bkis recommends individuals and organizations use this software and fix the flaw as the below solution:

Search in file snews.php:

• $type_id = str_replace($remove,”,$key);
  

Then, add the code below:

• $value = clean(cleanXSS(trim($value)));
  

Bkis

In recent days, our Honeypot has collected some new variants of FakeAV, the malware impersonating antivirus programs. After monitoring and analyzing these variants, we have discovered a brand new scenario employed by hackers to spread this kind of malware.

Hackers have taken advantage of many forums as well as Q&A sites, most of which are the sites of Yahoo! Answers system (answers.yahoo.com), to spread malicious code:

Figure 1: One of the fraudulent answers in Yahoo! Answers

The fraudulent answers are often in the following forms:

“Anyway, I think this will help you http://answers-yahoo-z.tk”

“You might find the answer here http://answers-yahoo-z.tk”

Or

“Try this http://answers-yahoo-z.tk”

…

Such answers entice users to visit fraudulent websites posing as Yahoo! Answers.

Figure 2: The interface of fake website (the above image) and the real Yahoo! Answers (the below image)

You are asked to download a file which is said to contain the answer (in fact, it is a FakeAV downloader):

Figure 3:  FakeAV – Security Shield

In addition to Yahoo! Answer, hackers also take advantage of many other Q&A sites for their malware spreading campaign.

Figure 4: Many questions are taken advantage to spread malware

In such case, you should take caution with the answer pointing to another link so as not to be deceived by bad guys.

Trieu Minh Tuan

Malware researcher

Recently, our statistics show that users are more vigilant about email attachment, not opening the attached file straight away. Perhaps that’s why bad guys have made some apparent improvements in their scam to increase the chance of recipient’s opening.
Let’s take a look at a pair of spam emails among numerous ones that our Honeypot has collected recently:

Figure 1: The first email in the scam

Figure 2: The second email in the scam (sent some time later)

Have you noticed the relation between these two emails? The first one does not include any file attachment; its sole purpose is to attract users to an interesting story: a person who knows you via the Internet wants to befriend with you and will send you some photos. Once you believe in the story, you may not hesitate to open the attachment upon receipt of the second email. And at that time it’s sad to say: your computer has been infected with virus.
Apparently, with this new scenario, the send-receive email interaction and the attractive story enable bad guys to attain their malicious purpose, heightening the possibility of opening attached files.
This virus (detected as W32.FakeHotpics.Worm by Bkav) once executed will download FakeAV from http://webcontrol-panel.us/l[removed]atch/softpatch.php?afid=154.

P/S : Many thanks to MinhNQb – my colleague for his virus analysis

Nguyen Cong Cuong

Senior Malware Researcher