New Malware can Automatically Register Facebook Applications

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:



The function names are self-explanatory. The script, when executed, performs the following actions:

  • Create a visible instance of Internet Explorer.
  • Navigate to
  • Log in.
  • Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
  • Grant access to this application.
  • Close the browser instance.

The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:

  • Create an invisible instance of Internet Explorer.
  • Go to
  • Search for “auto insurance bids”.
  • Close the browser instance.

This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.

What TVCNet/ Doesn’t Want You to Be Able to Read

Back in March we wrote a post about the danger of unethical hack repair services. This is certainly not the only area that we deal in where there is unethical behavior. On a fairly regular basis we are contacted about issues from companies that are being paid to maintain websites despite not knowing what they need to do maintain the websites and not having the ability to perform that maintenance even if they knew what it was.

In that post we discussed a company called TVCNet, which also does business as,, and “The Hack Repair Guy”. We were stunned by a recent interaction with them and felt it was important to write about what happened so that public at large could be aware as well. Here is what we wrote about them in that post:

What we haven’t dealt with before is a company that offers to clean up hacked websites contact us and admit that they were unable to determine how a website was hacked and wanted us to do it for them. Then last week we were contacted by a representative from TVCNet, which also advertises their service at They told us that they were good at removing the hack code, but a website they cleaned was being reinfected and they couldn’t determine what was allowing the website to be reinfected. The infection that they describe was one that should have been very easy to determine the source of if they had even very modest experience dealing with cleaning up after hacks. It certainly should not have been a problem for someone that is charging clients 350 dollars to clean up a hacked website (they apparently charge extra to upgrade software, even though that is often essential for securing a website).

With a company operating in what we consider an unethical manner, it is not a surprise that they are also lying about their service. They claim that they “We will work direct with Google staff, and ensure your web site is unblocked by Google”. The truth is getting unblocked by Google is a completely automated process that doesn’t involve working directly with Google staff.

On Monday, they left a comment on our blog that sidestepped the substance of post, it appeared that may not have even bothered to read the post, while making a number of accusations against us (we moderate comments so you won’t see it). We sent them an email letting them know we would not be posting the comment and informing them that we would post a correction if there was a factual mistake in the post.  We are always happy to post a correction if there is a factual mistake in one of our post, that is mentioned in the “Did We Make a Mistake?”section of this blog’s sidebar.

The next day we received an email from them that claimed the post was inaccurate, but did not dispute any of the facts present in the article. What they did instead was to falsely accuse us of slander. It is impossible for our written post to have been slanderous, but it is also was not any other form of defamation either. Defamation requires, among other things, that a statement of fact be false. We stand behind the facts in that article as well as the opinions presented. They so far have also not disputed any of the facts present in the post.

In both instances they requested we remove the post. In the second instances they tied the request to their false accusation of slander, with the implicit implication of bringing that up that an illegal act had occurred and that there could be legal remedies. We won’t be doing that as it is important for the public to know of the danger of unethical hack repair services, especially if companies don’t want you to know about it.

There most recent response also raised other troubling issues. In the email they claim to have had to spend over 40 hours clearing up the hack in question. We have never spent anywhere that much time clearing up after hack and the hack in this case was particular simple so it should not have taken that long. To us, that seems to be an indication that something is really wrong with their capabilities or process. That further backs up our opinion that they operate in unethical manner by providing a service that do not have the necessary experience to do properly.

That response also indicated that they had moved that hacked clients to their hosting service. We strongly believe that hack repair providers should not involved in any way in with moving users to a hosting provider they have a financial relationship with, especially one that has had security issues within the recent past. In a post last year it was disclosed that TVCNet’s servers come “with the standard formmail.cgi  XSS and cgiecho  information disclosure vulnerabilities”. That post also claims that “you can bet they spin more than their fair share of BS.” So we are not the only people that have concerns about this company.

Before publishing this post, we will be offering not publish it as long as TVCNet agrees to stop trying to intimidate us into suppressing our previous posting about the danger of unethical hack repair services and stop making potentially defamatory statements about us. We hope they take up the offer and stop making a bad situation of their own making worse. If this is posted, it means that they continue to want the public not be able read this important information.

Update (April 22, 2011): Since this post was published the situation has taken an odd and disturbing turn. Employee(s) of TVCNet have become rather obsessed with our company and our employees. They have been posting bizarre, incoherent rants about us, as well as posting personal information about employees, across the Internet. At the same time they have not informed us of any actual factual mistakes in our original post, which if they actually existed we would happily post a correction for. What is occurring is certainly not something that a reputable company would be doing and unfortunately seems to be an indication that the employee(s) of the company may have mental health issues, if that is the case we certainly hope that they will get help for those issues.

Heads up FB friends! New chain letter spreads on Facebook

A new chain letter is spreading across Facebook, posted by users in an apparent attempt to warn others about rogue applications.

Heads up FB friends chain letter

HEADS UP FB friends, Some applications are sending not too nice messages under YOUR identity. If you don't want to get in trouble with your friends, copy paste this message! And if you receive a nasty message from ME, rest assured I'm NOT the one who sent it. Most come from a post saying xx answered a question about you. DONT GO TO THE SITE! Re-post this!!! Hackers are at it again!

Many Facebook users have reposted the message in the last 24 hours.

The warning message is correct in so much as there are many rogue applications spreading across the Facebook platform, which can post scam messages under your name.

But to suggest that you won’t get into any trouble with your friends if you post the above message isn’t really any protection at all. Posting a status message like the one above doesn’t harden your defences or share any truly useful information.

The best way to protect yourself on Facebook is to always be cautious of unsolicited links that are sent to you, to think carefully about which (if any) third party apps you are going to allow to have permission to post to your Facebook wall or tag you in photographs, and to take a long hard look at your privacy settings.

One excellent idea is to make sure you stay informed about the latest scams spreading fast across Facebook. It’s free to join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

My naked pic is attached – malware spammed out

Are you in the habit of having complete strangers email you naked pictures of themselves?

That’s the only reason I can think of that you can legitimately explain why your computer has been infected by the latest malware attack that has been spammed out around the world.

Users are seeing messages in their inbox, which attempt to trick recipients into opening the attached file with the promise of a nude photo.

My naked picture is attached malicious email

The messages read

I love wild sex and looking for a discreet partner.
I have my picture attached to this email. Take a look at it and get back if you like what you see.

and have the subject line “my naked pic is attached”.

Sure enough, there is a file attached to the emails (it’s called but it isn’t a potential sex partner who is contacting you. Instead, the attachment contains a fake anti-virus attack – designed to con you into believing that your computer has a barrage of security problems, and fool you into handing over your credit card details.

Sophos products detect the fake anti-virus as Mal/FakeAV-JO and the ZIP file as Mal/BredoZp-B.

Hopefully most people will think with their brains and not with their trousers, and not be tempted into opening the attachment. However, experience has shown that even a malicious attack as obvious as this is likely to capture some unwary computer users.