We received reports from our colleagues in Hong Kong yesterday about more malware being distributed on Facebook.
If you're a Facebook user, you may get a message such as this, supposedly from a "friend". Since the message was sent by a friend, the likelihood that you would click on the link is much higher. Upon clicking the link, you would be redirected to a hi5.com site that looks something like the one below.
Not surprisingly, the website will tell you that you need to update your Adobe Flash Player by downloading a file. Of course, no matter how many times you try, you don't get to see the video. You do get infected though.
When we investigated this yesterday, the links were down and obtaining a sample for analysis was not possible at that point in time. Thanks to Lordian however - who tried again after being woken up by his neighbors late last night — we succeeded in obtaining a sample, which is detected as Net-Worm.Win32.Koobface.bp. Depending on the user agent, Net-Worm.Win32.Koobface.bm might also be served up.
Incidentally, if you are using any platform other than Windows, you just get redirected to the real YouTube.
It looks as if Facebook is increasingly becoming a popular target for all sorts of attacks. You can read through the numerous topics on this issue at the Facebook Public Discussion Board. Do note that some of the discussion topics include live links though, so be careful what you click.
On a related note, we've noticed that there is a Facebook phish, live at
faceiibook.com and registered in China.
(F-Secure)