Latest News

Fb spam with hacker

Hi, after a Long time came to Post one of the serious issue roaming with us,I tried to get this to You as clear as possible to show How danger is this......As a long gap to this blog i learnt some  of the techniques to reverse engineer an malware (i.e) how it infects,how it places their infections,how to get rid of this and all.....So Keep Proceed to read this Post and get rid of this Things...

Recently I logged in to my Facebook account as normal Purpose,Recently  I had a chat from one of my Friend asusual  i continue chat with him,but i didnt know he is infected or hacked by some of the Facebook spam (Since Lot more there)..suddenly he left from chat and dropped a link,I don't know whats happens, finally i concluded that its a spam link but its not a spam link its actually a severe Trojan (You'll know at the end of this post),because he doesn't knows as much in internet and confused of this link,I came across some of the Facebook spam ,so i Like to spread how curious this infection to my friends so researched that Trojan according to my basic Knowledge and delivered to You, continue with me

Observation 1:
The chat we had

Observation 2:
Then i clicked that link,Really i shocked,check This Image....

Then i noticed one Youtube Page is opened with title"my facebook name IS IN THE LEADING ROLE.SHOCKING PERFORMANCE"  and have Likes ,i shocked my name is in the youtube page and some video is there related to me(actually nothing there) finally i noticed its a phishing page, LOL suddenly i switched My  session to VM (virtual Machine)...

Observation 3:

And i started to search some of the clarification whether its original or not,I opened that Page in my VM and checked again and i noticed two things

I Tried to Play this File and its asked to download the Flash Player and asked to install to view this video,LOL i already had Flash Player,and i noticed the IP its,and Had a clarification with nslookup that this IP is not related to Youtube The original servers of Youtube are

Its ok where this IP located i trace that IP in IPLOOKUP and found some interesting,

So i continued to download that file....and had a virus scan in,Check the Virustotal Report Here

Observation 4:

And i executed that File in my VM ,It started their Process by unpacking ,and got placed in their respective Locations,And suddenly my Internet Speed is drastically downs,I cant even Browse Google that much slow,Its started Making connections to their servers,so i Gone through the Process and noticed a bulk of curious Services and process running behind

Oh boy how many crap process are running these are all make my internet downs,then i started to research all of them The process,Most of the process are running from TEMP folders,In a simple term no EXE files or Process are not run from TEMP folders except Installation.....But these Files are currently running from these locations on every Startups, 

Observation 5:

Then i started exploring Startups in registry and found interesting

Yes,these trojans occupy their Locations in RUN key,These made executing on every startups

Observation 6:

Then i continued to trace their services and their Successful Connections established and found that all trojans we noticed had a connection with their remote servers,actually they send something to the respected IPs

NOTE: i never opened any Browsers and i didnt run any services related to Internet but still many Process trying to communicate with their servers and sending something,

Observation 7:

And i eagerly wants to know what makes my internet connection down,Then i noticed some annoying thing running background

Gosh! abulk of packets sending and receiving through some IPs these made my internet connection down,
Actually what they are sending means Its executed in Your system and start sending your confidential things to their respected servers,Like it acts like a Keylogger in Our computer and send our Logs ,Logins to their servers like bank accounts,email accounts our chat logs,not only as a keylogger ,the attackers controls your whole system and take you remote view without your knowledge,If you have webcam means you are viewed by the attacker without your knowledge its a simple example These files acts as a backdoor and make a path to the attacker

Then i traced that IP

and i eagerly want to shows how curious it is ,we just downloaded one file Flash-player.exe and executed but its got unpacked to many files and start executing see this

Really this is a serious infection,One thing i have to tell on main Process of this trojan is it hacks your facebook account and start sending this Link to your friends without your knowledge Then what this chain continues.....I hard to kill this trojans.........Finally i killed all of the infections but still i have a loss ,I lost my VM because its corrupted the registry files,but its just a VM.....LOL

Summary of this infection:

Memory Processes Infected: 9
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 13
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 39

Process of this trojan
  • It will takes your system as botnets
  • It will uses your Internet as Proxies(Mainly Hackers do this for Illegal purpose)
  • Act as a Keylogger(Which records Keystrokes and sends)
  • Hacker remotely views Your system and contols your system
  • crash your computer
  • Hacker downloads our Confidential files without our knowledge
  • Steals your data
How to Avoid:
  • Never ever try some catchy things in social-network sites..
  • Scan the links from Online scanners like
  • Scan the untrusted files which are downloaded from internet in sites like ,
  • Scan the files with your updated antivirus
  • Dont directly download files from untrusted Links.
  • Avoid using Torrents(if you are not trusted)
  • Dont click on Nasty ads like free smilies, online games ,etc more are there
  • Update your Antivirus and stay safe

all the credits of this TUT is to Mr Hworm 

No comments:

Post a Comment

Contact Us

24x7 online , we happy to answer you , ,
skype: greeenchip


This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.

Featured Post

Custom Domains And HTTPS Redirection Code