Beware: Facebook Trojan Sent Via Email
Facebook Trojan in email attachment was sent to me.
Email with Facebook Trojan Attachment
Twice in only 2 days I’ve received emails claiming themselves as from Facebook Service (networks@facebook.com) and The Facebook Team (confirmation@facebook.com) respectively. At first I thought it is from the facebook as we always got notification emails from facebook. But after I spotted out that the email got an attachment in it, curiosity got the better of me.
I run a check, both Facebook Trojans are the same
The attachment in both emails came with different names (Facebook_details_348.zip and Facebook_details_173.zip) but as I test ran them, they proved to be exactly the same. This fact made me almost sure that the email attachments are trojans. So I decided to run one of the executable files in a save and contained virtual machine.
I test run the Facebook Trojan on a virtual machine
Notice the new SVCHOST.EXE running, and the empty Facebook Trojan folder
The result is really typical of that of an effective and efficient trojan: quiet, leave no trails behind, get the job done. As you can see in the snapshots, once I ran it, it leaves a new SVCHOST.EXE running using 2,250KB memory before it deleted its physical program file from the folder. This could mean that it has got itself into the system where it can hide and work well stealthily. Perhaps it would later download a working trojan and that it is actually only a downloader trojan. I have it that this is a trojan, and I call it The Facebook Trojan
Facebook Trojan Has Nothing to Do With Facebook.
Although the sender name and spoofing email host is Facebook, this actually is not coming from Facebook as anyone can fake any address.
Recognizing And Avoiding It.
You would want to avoid executing the .exe file or downloading the attachment altogether. But how could we recognize it without having to execute it in a virtual machine like I did? The major clues with which we can easily recognize a Facebook Trojan would be these:
First, have a look at the email subjects. They would go with the same sense of urgency (notice the exclamation mark), and the awkward terms Support Message and Customer Message:
- Facebook Password Reset Confirmation! Support Message.
- Facebook Password Reset Confirmation! Customer Message.
Second, the email contents are the same for both emails. It goes like this:
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
More Obvious Clues
Pay attention to the same sense of urgency and awkwardness of the message as those of the subjects. It uses the word safety as an urgency trigger.
The first awkwardness comes with the message stating that the password has been changed. No one can change passwords without our prior consent. That’s it.
The second awkwardness is that instead of just provides us with the new password in the email body; it instructs us to find it for ourselves in the attachment. Can you imagine that? What a lame lure.
Going beyond just that, if you’d downloaded the .zip file and examine the content, you’d find the ultimate proof that indisputably indicates that this is a trojan: the file is an executable .exe file. Whoa. I can’t say anymore. Beware of Facebook Trojan in emails.
