Wednesday, March 18, 2015
Dirty Facebook worm cuts itself in half to evade detection
Facebook distributing malware is nothing new, nor are shortened URLs for obfuscation, in-the-cloud servers for anonymity or porn as a lure. However the latest Kilim-family variant which hit Facebook last week uses all of them and with a twist: this worm keeps cutting itself in half to evade detection. Jerome Segura, security researcher at Malwarebytes, spotted the worm using Facebook with a lure of what appeared to be a link to pornographic video which, unsurprisingly, actually links to a malicious executable instead. If clicked, this kicks off the social media infection process by leveraging that user's contacts who see a message posted by the victim promising some very dubious pornographic photos. This is where the link-chopping starts with the URL being obfuscated by the use of the ow.ly URL shortening service. That in itself is not newsworthy, however the multi-layer redirection architecture which uses ow.ly in conjunction with multiple cloud platforms (Amazon Web Services and Box.com) is.