Picture-1

Rumor has it.

Facebook users are being targeted again, but in a more roundabout manner. Rumors are spreading, as rumors do, that an “unnamed app” is integrated into user accounts which is responsible for slowing down facebook and is being used to spy on user activity. (These rumors have not been proven true.)

Users are then advised in the form of ALERTS to delete this unnamed app. The interesting part is that user suspicion of these messages is what gives them their malicious power. A Facebook user would then Google the alert or the keywords “unnamed app” and be directed through several sites to ones serving rogue AV. Using SEO techniques many of the top sites listed are the key redirection sites in this process.

One such site, at the number three spot in our google search:
“http://kittingservice.com/canst.php?avi=facebook-unnamed-app”

The domain kittingservice.com is found at 62.93.239.41.

Using javascript redirection, we are taken to:
“http://onlinetechnicals.ru/sm/r.php”
at 212.95.58.37

It looks like the referrer might be necessary for the redirection: “Referer: http://www.google.ca/search?hl=en&source=hp&q=facebook+unnamed+app&meta=&aq=f&oq=” Otherwise a page comes up with the multiple facebook and SEO terms planted throughout, including some of the original instigating Facebook alert phrases:

“Has your facebook been slow today? Check your application settings, go into ” added to profile”. If you see one in there called “unnamed app” delete it.”

“There is a ” Unnamed App ” spybot on facebook and it may be slowing down Facebook applications or it may be work as a Spyware.”

The onlinetechnicals.ru page then uses another javascript to direct us to uscaau.com:

uscaau.com 212.95.58.37

Looking up uscaau.com/back.php comes back with the location of: “http://battlestartedsecurity.com/hitin.php?land=20&affid=94801”

battlestartedsecurity.com
109.232.225.22

and “hitin.php?land=20&affid=94801”
is said to be at the location:
“index.php?affid=94801”

This is where we finally download the beginnings of the Rogue AV. A pop up window tells us that “Your computer contaigns various signs of viruses and malware programs presence….” Our browser window has also seemingly disappeared but if you move the warning slightly you can see it resized to hide behind the pop up.

Agreeing to the scan displays the fake scan of our system, going back to battlestartedsecurity.com for the necessary visual items.

A few more agreements to clean up our system advises us to download “install.exe”, currently only detected by 7 of 41 AV groups.

Other researchers have indicated different redirection paths being taken and different end result fake security tools.

As for the unnamed app it is said to just be the “boxes” tab on your Facebook profile.
“The Boxes tab contains application profile boxes. A user or Page will have a Boxes tab added to their new profile by default if they currently have application boxes that do not support integration with the main profile/Page left column or if they have more profile boxes than can fit into the main profile/Page left column (more than 5).” (http://wiki.developers.facebook.com/index.php/Tabbed_Profile)

Removing it seems to be both nondestructive and reversible. According to
(http://answers.yahoo.com/question/index?qid=20100126190431AAJkPoW)
“to put back your boxes tab:

1. go back to the page where you removed the Unnamed App from.
2. select “edit settings” for an app under the “added profile boxes” section
3. click remove, then click add when it appears.”

Matt Sully
Director
Threat Research & Analysis

Reblog this post [with Zemanta]