As we were working through URLs identified as suspicious due to our GTI technology, one of the URLs that presented itself was an average “.com” site that loaded a php. As we processed this – it was interesting to see that this php actually reached out to download a file that ended with the string facebook.com.exe — as this “.com” site was very social-network friendly – it would be easy to see how an average user, without web protection in place, would not even realize what was going on.

And what was this *facebook.com.exe?  This was  detected as:

File IM24672.JPG-www.facebook.com.exe received on 2010.03.10 19:54:18 (UTC)
AntivirusVersionLast UpdateResult
AntiVir8.2.1.1802010.03.10TR/Injector.Awi.88
AVG9.0.0.7872010.03.09I-Worm/Stration.IPY
BitDefender7.22010.03.10GenPack:Backdoor.SDBot.DGEY
F-Secure9.0.15370.02010.03.10GenPack:Generic.Malware.SYd!Cdldsp.B424F431
GData192010.03.10GenPack:Backdoor.SDBot.DGEY
Jiangmin13.0.9002010.03.10Trojan/Buzus.chp
Kaspersky7.0.0.1252010.03.10Trojan.Win32.Buzus.dmgy
McAfee+Artemis59162010.03.10Artemis!6B8A163B27CD
McAfee-GW-Edition6.8.52010.03.10Trojan.Injector.Awi.88
Microsoft1.55022010.03.10VirTool:Win32/CeeInject.gen!BE
NOD3249322010.03.10a variant of Win32/Injector.AWI
Prevx3.02010.03.10High Risk Worm
Sunbelt58162010.03.10Trojan.Win32.Generic!BT

 By the time I am writing this – it is already being seen with further visibility across McAfee Artemis detection and we are making sure that all of our products protect against this threat.

This server where this was hosted has already been taken off-line – however, this threat, maneuver, and piece of malware will continue to be seen again, and again, and again. In fact, we already have other webservers that are hosting that same attack – along the same lines – and will be continuing to monitor and follow this particular attack.