Web blog d'un ingénieur en sécurité informatique. IT Security watcher's blog: news, threats analysis, AV issues, PoC, IT security, bugs... Contact: philippe.vialle@wanadoo.fr
That trick was really about to get me...
The bot would realy make you believe it is your Facebook contact talking to you, but it is not...
I sent the URL to VirusTotal, here are the results: nothing to worry about...
| URL Analysis tool | Result |
|---|---|
| Avira | Clean site |
| BitDefender | Clean site |
| Dr.Web | Clean site |
| G-Data | Clean site |
| Malc0de Database | Clean site |
| MalwareDomainList | Clean site |
| Opera | Clean site |
| ParetoLogic | Error |
| Phishtank | Clean site |
| TrendMicro | Unrated site |
| Websense ThreatSeeker | Unrated site |
| Wepawet | Unrated site |
| Normalized URL: http://213.231.133.56/830578583 |
| URL MD5: 57e229513f552a0ba3775213d1d6b8c6 |
https://www.virustotal.com/url-scan/report.html?id=57e229513f552a0ba3775213d1d6b8c6-1311622558#
Even the "downloaded file" analysis does not show any alert:
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.07.26.00 | 2011.07.25 | - |
| AntiVir | 7.11.12.103 | 2011.07.25 | - |
| Antiy-AVL | 2.0.3.7 | 2011.07.25 | - |
| Avast | 4.8.1351.0 | 2011.07.25 | - |
| Avast5 | 5.0.677.0 | 2011.07.25 | - |
| AVG | 10.0.0.1190 | 2011.07.25 | - |
| BitDefender | 7.2 | 2011.07.25 | - |
| CAT-QuickHeal | 11.00 | 2011.07.25 | - |
| ClamAV | 0.97.0.0 | 2011.07.25 | - |
| Commtouch | 5.3.2.6 | 2011.07.25 | - |
| Comodo | 9510 | 2011.07.25 | - |
| DrWeb | 5.0.2.03300 | 2011.07.25 | - |
| Emsisoft | 5.1.0.8 | 2011.07.25 | - |
| eSafe | 7.0.17.0 | 2011.07.25 | - |
| eTrust-Vet | 36.1.8464 | 2011.07.25 | - |
| F-Prot | 4.6.2.117 | 2011.07.25 | - |
| Fortinet | 4.2.257.0 | 2011.07.25 | - |
| GData | 22 | 2011.07.25 | - |
| Ikarus | T3.1.1.104.0 | 2011.07.25 | - |
| Jiangmin | 13.0.900 | 2011.07.25 | - |
| K7AntiVirus | 9.108.4945 | 2011.07.25 | - |
| Kaspersky | 9.0.0.837 | 2011.07.25 | - |
| McAfee | 5.400.0.1158 | 2011.07.25 | - |
| McAfee-GW-Edition | 2010.1D | 2011.07.25 | - |
| Microsoft | 1.7104 | 2011.07.25 | - |
| NOD32 | 6324 | 2011.07.25 | - |
| Norman | 6.07.10 | 2011.07.25 | - |
| nProtect | 2011-07-25.02 | 2011.07.25 | - |
| Panda | 10.0.3.5 | 2011.07.25 | - |
| PCTools | 8.0.0.5 | 2011.07.25 | - |
| Prevx | 3.0 | 2011.07.25 | - |
| Rising | 23.68.00.05 | 2011.07.25 | - |
| Sophos | 4.67.0 | 2011.07.25 | - |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.07.25 | - |
| Symantec | 20111.1.0.186 | 2011.07.25 | - |
| TheHacker | 6.7.0.1.262 | 2011.07.24 | - |
| TrendMicro | 9.200.0.1012 | 2011.07.25 | - |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.07.25 | - |
| VBA32 | 3.12.16.4 | 2011.07.25 | - |
| VIPRE | 9964 | 2011.07.25 | - |
| ViRobot | 2011.7.25.4587 | 2011.07.25 | - |
| VirusBuster | 14.0.138.0 | 2011.07.25 | - |
| MD5: a6e4771c5a15705054b529d6d9a74c5b |
| SHA1: 8cfbec24fb7623f888b6d6f156d9a8284299d319 |
| SHA256: c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a |
| File size: 61988 bytes |
| Scan date: 2011-07-25 21:45:21 (UTC) |
https://www.virustotal.com/file-scan/report.html?id=c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a-1311630321
And the reason is quite simple... there is neither automatic file download, nor drive-by-download. Once again, the user will be lured to download himself the "latest Flash player version"...
Pretty well done, uh? But this is not youtube...
What I find pretty outstanding, is the fact that the "fake youtube" website did grab the Facebook victims's username, and furthermore, fake comments from the victim's contacts are also being displayed below the (fake) video!
Please note that the URL is a single IP address, no domain name! According to Netcraft, the server is being hosted in Bulgaria: http://toolbar.netcraft.com/site_report?url=http://213.231.133.56
So, in order to view the video, the user is supposed to click on the link. I serves a Flash-Player.exe file, hosted on the same HTTP server.
And this time, the AV scans do tell us something interesting:
| Antivirus | Version | Last update | Result |
|---|---|---|---|
| AhnLab-V3 | 2011.07.26.00 | 2011.07.25 | Virus/Win32.AntiAV |
| AntiVir | 7.11.12.103 | 2011.07.25 | TR/AntiAV.oao |
| Antiy-AVL | 2.0.3.7 | 2011.07.25 | - |
| Avast | 4.8.1351.0 | 2011.07.25 | - |
| Avast5 | 5.0.677.0 | 2011.07.25 | - |
| AVG | 10.0.0.1190 | 2011.07.25 | - |
| BitDefender | 7.2 | 2011.07.25 | - |
| CAT-QuickHeal | 11.00 | 2011.07.25 | - |
| ClamAV | 0.97.0.0 | 2011.07.25 | - |
| Commtouch | 5.3.2.6 | 2011.07.25 | - |
| Comodo | 9510 | 2011.07.25 | Heur.Suspicious |
| DrWeb | 5.0.2.03300 | 2011.07.25 | Trojan.Siggen2.58184 |
| Emsisoft | 5.1.0.8 | 2011.07.25 | Trojan.Win32.AntiAV!IK |
| eSafe | 7.0.17.0 | 2011.07.25 | - |
| eTrust-Vet | 36.1.8464 | 2011.07.25 | - |
| F-Prot | 4.6.2.117 | 2011.07.25 | - |
| Fortinet | 4.2.257.0 | 2011.07.25 | - |
| GData | 22 | 2011.07.25 | - |
| Ikarus | T3.1.1.104.0 | 2011.07.25 | Trojan.Win32.AntiAV |
| Jiangmin | 13.0.900 | 2011.07.25 | - |
| K7AntiVirus | 9.108.4945 | 2011.07.25 | - |
| Kaspersky | 9.0.0.837 | 2011.07.25 | Trojan.Win32.AntiAV.oao |
| McAfee | 5.400.0.1158 | 2011.07.25 | Artemis!7A3BC4D258CB |
| McAfee-GW-Edition | 2010.1D | 2011.07.25 | Artemis!7A3BC4D258CB |
| Microsoft | 1.7104 | 2011.07.25 | Backdoor:Win32/Delf.KV |
| NOD32 | 6324 | 2011.07.25 | Win32/Delf.QCZ |
| Norman | 6.07.10 | 2011.07.25 | - |
| nProtect | 2011-07-25.02 | 2011.07.25 | - |
| Panda | 10.0.3.5 | 2011.07.25 | - |
| PCTools | 8.0.0.5 | 2011.07.25 | Net-Worm.SillyFDC!rem |
| Prevx | 3.0 | 2011.07.25 | - |
| Rising | 23.68.00.05 | 2011.07.25 | - |
| Sophos | 4.67.0 | 2011.07.25 | Mal/Generic-L |
| SUPERAntiSpyware | 4.40.0.1006 | 2011.07.25 | - |
| Symantec | 20111.1.0.186 | 2011.07.25 | W32.SillyFDC |
| TheHacker | 6.7.0.1.262 | 2011.07.24 | - |
| TrendMicro | 9.200.0.1012 | 2011.07.25 | - |
| TrendMicro-HouseCall | 9.200.0.1012 | 2011.07.25 | - |
| VBA32 | 3.12.16.4 | 2011.07.25 | - |
| VIPRE | 9964 | 2011.07.25 | FraudTool.Win32.SecurityTool (v) |
| ViRobot | 2011.7.25.4587 | 2011.07.25 | - |
| VirusBuster | 14.0.138.0 | 2011.07.25 | - |
| MD5: 7a3bc4d258cbe30dfb0649ee863fae25 |
| SHA1: 9735e42aed649b87bca6455ddccf92cc563cb17b |
| SHA256: 7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d |
| File size: 1185280 bytes |
| Scan date: 2011-07-25 21:39:44 (UTC) |
https://www.virustotal.com/file-scan/report.html?id=7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d-1311629984#
Unfortunately, the URL itself does not trigger so many security systems:
- Internet Explorer (with Trend Micro Browser Guard): no alert
- Firefox 5: no alert
- Chrome 12.0.742: no alert
- Safari 5: no alert.
- Webreputation: "domain not reachable"...
In fact, most of these results are summarized within the VT's "URL analysis tool" report.
While investigating the threat, I noticed they apparently use a stealth system: you can't request access to the domain several times, even using different browsers, of you're gonna be blocked.
This works over HTTP, while the ping (ICMP) still responds.