Malware Spreads Through Facebook Tag Scam

Intel security has recently observed a malware spreading through Facebook. This type of malware is not new, but it keeps evolving using new spreading mechanisms.

A few days ago, we came across a Facebook post with this subject:

[Username] shared a link – with [Another username] and 19 others

The link was disguised as a pornographic video to entice viewers. We have found that a number of people are infected by this malware.

This malware uses the following script to get the user id and Facebook DTSG value:

The fb_dtsg is a request identifier that is unique to each Facebook request. It is also known as a cross-site request forgery (CSRF) token. (A CSRF is a type of malicious exploit of a website in which unauthorized commands are transmitted from a user that the website trusts. You can read more about CSRF here).

The following malware code randomly selects friends to tag:



The following script selects a random porn image from its control server and displays it to the user:




This scam lures curious Facebook users to the compromised website, which then attempts to trick them into installing malicious browser extensions and other malware to view the adult video. When users visit the link to view the video, the malware prompts them to download a fake Adobe Flash Player update, which in turn downloads the executable servant.exe on the victims’ machines in the %appdata% folder and executes it.

We can see the actual payload, downloaded from hxxp://exusers.com, in the network traffic shown below. Facebook is already aware of this malicious domain and is working out with their antimalware partners to detect this malware.



The downloaded payload creates a run registry entry to execute itself every time Windows starts.

The payload also creates the following files on a victim’s machine:

• c:\documents and settings\administrator\application data\microsoft\protect\S-1-5-21-117609710-1801674531-725345543-500\preferred
• c:\documents and settings\administrator\application data\microsoft\protect\s-1-5-21-1844237615-2111687655-839522115-500\4532158e-ef11-42f9-813c-ddbb4f02c848

This behavior gives the malware author backdoor access to the system.

After successful installation and delivery, the malware modifies victims’ browsers to keep the malware updated and to block users from accessing certain security websites. The malicious browser extension blocks URLs that include any of the following keywords:



While browsing these, victims may see the following error message:

This malware is different from other social media malware in some techniques. Previously this type of malware spread through victims’ chat windows and infected victims’ friends. Once victims’ friends are infected, the malware could go one step further and infect the friends of the initial victims’ friends. The following screen shows how the malware was propagated through chat messages:

With this new technique, the malware gains more visibility with potential victims as it tags 20 friends of each victim in the malicious post instead of sending personal chat requests. In this case, the tag may be seen by friends of the victim’s friends as well, which leads to a larger number of potential victims. Thus the malware propagates more quickly.

In addition to keeping antimalware protection up to date, users should practice safe browsing techniques, such as avoiding unfamiliar links that redirect outside of Facebook, even if those links are shared by a trusted friend.

Intel security detects this malware as BackDoor-FBUS starting with DAT Version 7781.