Emsisoft | Security Blog

Emsisoft warns: Zbot trojan spreads by fake Facebook friend request

Every Facebook user is familiar with the friend invitation via email on Facebook. But you should be careful, as our malware analysis team has detected that this is now a tactic being used to infect users with malicious software.

In this case we received a phishing email with the subject “Kaamil Mahmoud wants to be friends on Facebook.“. But when the user clicks the “Confirm Friend Request” link he will not be directed to facebook.com, but to the following address instead: hxxp://session49778166786155.downtohole.com/confirm/req/

The link leads to a fake Facebook page, showing the message “Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player”. When the user clicks on the link “Download and Install“, the browser will download a malware file named updateflash.exe – it contains the well known Trojan Zeus, also known as Zbot.

Unfortunately, not executing the file doesn’t mean the victim escapes infection, as the fake Facebook page will also load another address (hxxp://vampirefishsd.com) in the background. An exploit script that is part of the BlackHole Exploit Kit, runs on this website. The address of the exploit is placed in a hidden iframe.

Whois records show the vampirefishsd.com was registered just a few days ago.

Created On: 8/23/2011 3:38:46 PM
Expires On: 8/23/2012 3:38:46 PM
Last Updated On: 8/23/2011 3:38:46 PM
Domain Status:

Registrant [PAK11082372783-1]:
Minette Bazin jones@mail13.com
3059 Pitfield Blvd
St Laurent, QC H4S 1H3
Phone: 1.514817375 Ext:
Fax: 1.

The exploit script tries to infiltrate the victim’s computer by exploiting some vulnerabilities. One of them targets Java, allowing the author to run the Malware automatically without the user’s knowledge and without requiring any interaction at all.

We advise you to update your operating system and all applications regularly, including the security programs that you use. Second, be careful with suspicious emails: emails from Facebook should always contain your name and the links should, of course, point to the legitimate Facebook website.