Tuesday , 6 December 2016
Breaking News

Junk Images on Facebook Messenger Lead Users to Malware

Hackers temporarily found a way to bypass Facebook filtering systems to deliver malicious Chrome extensions to users, security researchers have found. These then opened up the way for even worse malware downloaders that can deliver a range of Trojans and other programs to your desktop.

The .svg files sent to users got around Facebook?EU?s file extension filter. Because .svg is a relatively new file format, hackers have room to experiment with it against existing filtering systems. Also, reports Bleeping Computer, since it is ?EU?XML-based and allows dynamic content,?EU? it is popular for delivering the malicious JavaScript code embedded right inside the image.

The image leads to a fake YouTube item, which demands you add a codec to view the video on Chrome. Security researcher Bart Blaze, who discovered the ransomware, found that the extension to execute this, ?EU?One,?EU? gives itself permission to ?EU?read and change all your data on the websites you visit.?EU? He wrote that he was, ?EU?not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.?EU? In his case, this included the popular Nemucod malware downloader.

Another security researcher, Peter Kruse, reported that one possible payload was the Locky ransomware. Facebook told Threat Post, though, that, ?EU?We determined that these were not in fact installing Locky malware.?EU?

Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist. https://t.co/WYRE6BlXIF pic.twitter.com/jgKs29zcaG — peterkruse (@peterkruse) November 20, 2016

Anyone who encounters the suspicious .svg files should, per Threat Post and Blaze, disable JavaScript in their browser, block Wscript, or set any files with the extensions .svg, .js, and .jse to open only in Notepad — the latter technique defeats the code?EU?s ability to execute itself in your browser when you click on the image.


Leave a Reply

Your email address will not be published. Required fields are marked *