Wednesday, February 2, 2011

Facebook Photo tricking users to open malware

  The Yahos worm seems to be attempting to gain a lot more infected computers recently. While looking through online security honeypots I have noticed a large amount of files called facebook-pic(randomnumbershere).exe which is at the moment is commonly being used to spread the Yahos worm. The Yahos worm normally spreads through instant messenger and social networking sites.

  The Yahos worm most commonly uses IM services to spread infections. A Yahos infected machine will normally send a message such as "Foto :D (Malware Link here)", (Malware Link), or "How does this photo look? (Attached Malware file)". The attached file/link payload normally has the name photo.exe or facebook-pic(random).exe the normal user would pay no attention to the .exe file extension and run the file.

  However now that social networking is being used more often then IMing in some places the common IM worm is getting upgrades. A few newer variants have been spotted using the IM services of Facebook. Most of these worms connect to an IRC server to get bot commands.

 In order to stay safe from these threads: Always check the file extension of each file you get, and ask your friend if they really sent the file. If the bot is doing it the bot can not respond to you asking if it really was a human sending the file.

No comments:

Post a Comment