, 2009-10-20
Watching videos in Facebook is a popular activity, so it's not surprising to find dozens of fake copycat sites being used to infect unsuspecting viewers with malware.
Here's one fake Facebook site with a malicious Javascript that uses the old "Flash Player upgrade installation" trick - but with a slight twist.
As usual, the viewer thinks they're going to see a video, if they just upgrade their Player:
But first they have to download and install the "upgrade":
The unusual thing is, this "upgrade" comes with a CAPTCHA pop-up:
The request is displayed at random times and doesn't actually do anything. Anything entered into the field by the user results in this being displayed:
The screen will close after a few tries, but will still continue to appear off and on.
While the user is having dubious fun with the CAPTCHA test, the malware copies a couple files to C:\Windows, deletes itself and creates a few Registry keys.
We detect the malware as Trojan:W32/Agent.MDN.
Our Browsing Protection blocks the whole fake Facebook website entirely. As usual though, be careful when you're surfing.
---
WebSecurity post by - Choon Hong
On 20/10/09 At 06:52 AM
