VPN Articles and News

New Facebook Worm Leverages Cloud Services To Spread Itself

Tuesday, November 10th, 2015

Security researchers have come across a new Facebook worm which leverages multiple cloud services in order to spread itself. The rogue program, which belongs to the Kilim family of malwares, was discovered by Jerome Segura who works as a senior security researcher at Malwarebytes. Kilim is notorious for targeting users of social sites like Facebook and Twitter (usually through rogue browser extensions) and this newly discovered worm is no different. But what sets this rogue program apart is the way it obfuscates itself and uses well-known cloud services to propagate itself.

The worm lures Facebook users with the promise of showing an adult video clip while in reality it links to a malicious EXE file. The URL posted on Facebook is obfuscated with ow.ly URL shortened so the users have no way of knowing that they are actually clicking on a dangerous link. The ow.ly URL in turn redirects to another ow.ly URL which gets redirected to an Amazon Web Services (AWS) webpage and then to the actual site set up by the attackers. The site checks the browser and device of the users and then redirects them either to a Box.com link (for desktop users) or to a fake offer page (for mobile users). It is this Box.com link which prompts users to download and run the malicious file after which his computer gets infected with the worm.

The worm doesn’t sit idle after infecting a computer; it performs several additional steps to spread itself and cause more damage. For instance, it downloads additional components, including a rogue Google Chrome extension; which can record, control and even restrict browsing activity. What’s more, the worm spreads itself by posting links to the said video clip on the walls of all the contacts of user. It is also believed that the worm has the capability to post messages, like a page, send direct messages and follow users. Thus it wouldn’t be wrong to say that the infected machine actually becomes a botnet that can participate in large DDoS attacks and could also be leveraged for monetary gains.

Segura says that the creators of the worm have gone to great lengths to keep their activities hidden. He also stated that the file which gets downloaded via Box.com is very small in size and its only job is to download additional components from the attackers’ sites. This allows the attackers to keep updating the worm and take advantage of the latest security loopholes in their attacks. And the use of trusted cloud services allows the worm to propagate itself without getting blocked by service providers or content delivery networks.

After Segura published the details about the worm on his blog, Box and Amazon swung into action to contain the damage. Box said that it has deleted files related to the worm from its servers while Amazon said that the worm’s activities have been contained. Facebook is also actively blocking links and making efforts to ensure that the worm doesn’t spread through its website. Meanwhile, you should avoid clicking on suspicious links on Facebook in order to remain safe from such dangerous security threats.

November 10, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 7 =