Articles

Facebook trojan?

In Random fun stuff on Thursday 3rd September, 2009 by Guy Tagged: , , ,

I’m getting weird messages on Facebook from my friends — yes, even weirder than usual. Once today I got a “message” and another time a “gift”, and duly informed on both occasions through the Facebook notification bar. Except the link for the “message” and the “gift” were not to another page on facebook.com, but rather to fastredbk.info — specifically to fastredbk.info/lagin.php. The domain was registered on the 1st of September by domainsbyproxy.com, who specifically offer a service to ensure that whoever owns a domain is kept anonymous.

When I clicked on the first “message” I was presented with all sorts of errors, possibly PHP-related ones, but I’m not sure. I don’t think my computer or my account was infected in any way… but then it must be affecting people somehow, so maybe that was just a diversion tactic to lull me into a false sense of security. If it didn’t attack my account, why other people but not me? I’m using Firefox on Linux: could that be related?

I haven’t seen any many other references to this online, so is it just me (always a strong possibility) or did something similar happen to anyone else?

UPDATE: One other blogger has mentioned this (in Swedish) and a couple of comments here have confirmed it. How does it work? Is it dangerous? And is Facebook doing anything to stop it?

FURTHER UPDATE: “curl”-ing to the URL above yields:


Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /var/www/lagin.php on line 37

Warning: mysql_select_db() [function.mysql-select-db]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /var/www/lagin.php on line 38

Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /var/www/lagin.php on line 38

Warning: mysql_query() [function.mysql-query]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /var/www/lagin.php on line 39

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /var/www/lagin.php on line 39
errorstring(84) "Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)"
SELECT a.url, a.template_id
FROM application a
WHERE a.status = 1 AND template_id=7 ORDER BY rand()
LIMIT 1

I don’t know how to quote the original HTML, but the above looks like what I saw earlier, so it was actually MySQL errors that I witnessed. Is it something Facebook can stop?

Advertisements

10 Responses to “Facebook trojan?”

  1. I got one as well. I really hope it’s not a virus.

  2. I got one today too; the icon looked like a gift but the notification was that I had a message. When I saw that the address it was trying to load was not on Facebook, I stopped it immediately, so I don’t know whether those php errors you report would have resolved for me. Right now I’m not finding anything about it other than this page, so it must be a new attack (presuming it’s an attack, that is).

  3. Hi! I’m the Swedish guy who wrote about the what-I-presume-is-a Facebook worm.

    It seems the bogus message links only appear in the notification meny in the lower right corner. The “message” never appears in the inbox.

    The friend who unknowingly sent me the link told me he got a message himself, clicked it, ended up at a broken “My photos” page and closed it. In the mean time he had sent a bunch of links to his Facebook friends.

    Seems like a CSRF that exploits a bug in the notification service.

    /John

  4. After a little more poking around, I suspect that it’s a new incarnation of “rogue apps” that were reported two weeks ago (first on Trend Micro and later on CNet News). Here’s an article from CNet about them:
    http://news.cnet.com/8301-27080_3-10313618-245.html

  5. Hi Michelle, thanks for your research. Reading the article, though, it doesn’t strike me as the same phenomenon, because that required installing the rogue app. Here, unless I’m mistaken (and John’s story fits with this), only clicking on the rogue notification is required. Perhaps it’s a cross-site scripting (XSS) attack?

  6. I rather think it’s a cross-site request forgery than a cross-site scripting attack.

    My take on this:
    The suspicious site ‘fastredbk’ knows that anyone accessing it is simultaneously logged on to Facebook since that’s where the links are spread. fastredbk contains a request to facebook.com. That request will be issued in the victims browser, thus using the victim’s Facebook account. The request is a one-click attack that sends notifications to all the victim’s friends, attaching a link back to fastredbk.

    Then of course fastredbk can contain various kinds of malware to exploit vulnerable browser plug-ins and such. So victims might well be compromised as well as spread the worm on to their friends.

    As I said, the explanation above is just my guess.

  7. hi, I’ve been keeping an eye on this tonight cause I was also caught out, by the looks of things it’s just facebook information it’s stealing, do you think there’s any threat to our passwords for other sites?

  8. I received a notification that I had a gift from a friend. Clicked it, it showed the same website url, but nothing happened. I am using Windows 7 with google chrome.

    I have mcafee anti-virus on my computer as well. I tried doing an update and it said that my gdeltaavv.ini file was corrupt and could not update the DAT. I ran it again and it downloaded fine. Coincidence? I have no idea.

    I changed my facebook password on another machine and i’m running a full system scan. Any other suggestions?

  9. Thanks for sharing! I received a notification this morning, and your site was the first one I checked out! : ) – Captured a screen cap and posted it to photobucket and on FB to share with friends. I’ve also sent it along to FB support.

    Thanks again!
    -Mark

  10. Same just happened to me although the website is urlpulse.net not the one you mention. Right after I clicked it, I closed the tabe and a few minutes later my News feed and the right side with the updates just basically disappeared. Gah, why do people do this? =(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: