[ Security Alert ] 22 February, 2013 16:17

Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.

Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp://goo.gl/iiWeL? (also hxxp://fastotolike.com/yeni.php!)

The content of son.js in extension as following:



There two functions abone and sayfa2 in "hxxp://fastotolike.com/yeni.php", the partial content as below:


The function abone is tracking someone:



The function sayfa2 is turning Likes for someone:



Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously. 


For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

by AegisLab," 


[ Security Alert ] 06 February, 2013 13:45

AegisLab got some malicious video links from Facebook as following:




They all take advantage of your curiosity for unknown video, and lure you to execute malicious package

The analysis as below: 




The subject is "This girl has a spider under the skin and makes it removed!"  and the messages shown in pop up window: 

Update Needed

to watch the latest videos on Facebookyou must install this update package.

To begin, click on the button below:  


Obviously, the devil wants to lure you to execute the malware.

If "OK" button clicked, you'll get a malicious file: hxxp://dl-b.uni.me/updates/fr_FR /fb13.4.4_fr.exe



After running this file, the message "update already done" shown in pop up window as following: 




And then browser Chorme was added one more extension:



the content of this extension



Chrome's extension was defined the  by manifest.json, and this extension was malicious scripts injected.



To analyze manifest.json, we found:

1. permission: allow any URL connection

2. main program: call.js

3. malicious URL for update: http://du-pont.info/updates/fr_FR/update.xml




The partial main program call.js:



The malicious extension will collect your contacts in facebook and add to fans, and then spreads malicious links to them.

The best way to lower down the risk from malicious links is checking browser's status bar before clicking OK button as possible.

For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 


by AegisLab