Facebook Fake AV Malware Again

On the topic of social media and Facebook in particular, a very complex and effective fake Anti-Virus campaign is targeting Facebook users.  Like most of the cruft that targets Facebook users, it starts with contact by a Facebook friend using the social network’s chat feature.  “Hi. How are you? It is you on the video? Want to see?” asks the “friend” offering a link to a YouTube page.  Intrigued, the target follows the link, and sees that the video with the target’s name in the title, has apparently been commented on both positively and negatively by a bunch of their Facebook friends.

Of course, the target cannot view the video because they appear to be “missing an Adobe Flash Player update”, according to a message written over the blank space where the video is supposed to be displayed.   The file offered for download is Trojan.FakeAV.LVT.   This little miscreant copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware. It then adds a registry key in %SYSTEM% and the malicious code is either added to the list of authorized applications for the software firewall, or it disables the firewall altogether.  Finally it disables all notifications generated by the firewall, the update module, and whatever antivirus it finds installed on the PC, according to BitDefender.

This malware makes the effort to detect which legitimate AV solution the user has installed, and displays customized warning messages that mimic what the legitimate solution would present.  So clever, and so deviant.  Someone deserves a beating.  Of course it “scans and finds” a virus on the system, and asks the user to reboot so that it can clean up the mess.  Unfortunately, the reboot triggers the system to boot into safe mode, allowing the malware to uninstall the legitimate AV solution, and then the system is rebooted into normal mode.  The system is now completely vulnerable, and a downloader component launches to quietly download additional malware from an array of URLs.

The malware agent contains a list of IPs of other infected systems which will be used for exchanging malware, creating a fully-fledged malware distribution system with peer-to-peer update capabilities.  These IP lists are updated regularly so infected systems are always in contact, and constantly exchanging malicious code.

Once a system is compromised by such a viscious malware agent, it should never be fully trusted again.  If you are the unlucky recipient of this insidious and devastating attack, my recommendation to you is to backup ONLY your most important data to SACRIFICIAL MEDIA, and to nuke the system to bare metal.  Because your AV was compromised and the malware causes reboots and loadpoints to be activated, there is no telling what the additional payloads may have done.  Assume the worst; root-kits, password captures, and keystroke logging.  Reformat your hard drives, including the Master Boot Records (MBR), and the same for any removable media that you have used on that system.  Media that can’t be sanitized should simply be destroyed.  Otherwise you are taking chances that malware will still exist on your computer, and be able to load before your Operating System and any defensive software that you install.  That means, you might as well not install it at all.

Now you know why I’m not real fond of malware or its authors.  Stay thirsty my friends…

One thought on “Facebook Fake AV Malware Again

  1. Thanks for this post on the dangers of malware. At AVG, we understand the need to have security measures in place as malware can be hidden in a number of places, including familiar websites and social networks. As malicious software continues to develop and become less detectable we advise our users to have security protection in one form or another. For free security solutions or to join the discussion on online security, why not pay us a visit?

    Maria Arenillas
    Community Manager at AVG

Comments are closed.