Dirty Facebook worm cuts itself in half to evade detection

Facebook distributing malware is nothing new, nor are shortened URLs for obfuscation, in-the-cloud servers for anonymity or porn as a lure. However the latest Kilim-family variant which hit Facebook last week uses all of them and with a twist: this worm keeps cutting itself in half to evade detection.

Dirty Facebook worm cuts itself in half to evade detection
Dirty Facebook worm cuts itself in half to evade detection

Jerome Segura, security researcher at Malwarebytes, spotted the worm using Facebook with a lure of what appeared to be a link to pornographic video which, unsurprisingly, actually links to a malicious executable instead. If clicked, this kicks off the social media infection process by leveraging that user's contacts who see a message posted by the victim promising some very dubious pornographic photos. This is where the link-chopping starts with the URL being obfuscated by the use of the ow.ly URL shortening service. 

That in itself is not newsworthy, however the multi-layer redirection architecture which uses ow.ly in conjunction with multiple cloud platforms (Amazon Web Services and Box.com) is.

Click on the shortened link and it immediately redirects to another shortened link which, in turn, redirects to an AWS page in the cloud which passes the user request onto a malicious site. This site then redirects the user to a link on Box.com which initiates a download prompt. Download that file and run it and the user is infected, in effect becoming a bot which spreads the original ow.ly link to their social circle on Facebook.

Adam Winn, manager at OPSWAT, thinks that blaming shortened URLs as a factor in this malware is misguided though. "I believe the target users would be almost as likely to click on the un-obfuscated URL" Winn told SCMagazineUK.com, adding "furthermore, they had to take additional steps to become infected: clicking on a link to an unknown page, downloading an EXE file, running that file."

Philip Lieberman, CEO of Lieberman Software, argues that this attack provides an insight into the psychology of the victim and link shorteners play their part. 

"It overcomes link integrity/trust checks used by end-point protection by hiding the start of the chain needed to stop the initial launch" he told SC, continuing, "the use of multiple cloud providers in the local geography also overcomes IP address trust verification by the end point." Indeed, Lieberman describes the attack as an excellent example of how ineffective firewalls and end-point protection is in the real world. "The only mitigation is to accept the new reality and toughen the interior of the environment with changes in network design (air gaps), aggressive proactive identity management to implement privilege access and least privilege so as to survive these attacks" Lieberman insists. The machines will still get compromised, but the broad consequences can be minimised by the appropriate use of multi-factor authentication combined with additional internal bastions, proxies and VPNs.

SCMagazineUK.com understands that the attack itself has now been halted, with both AWS and Box removing the files and sharing privileges for the malicious accounts, while Facebook has been blocking associated links on the social media platform.