Following my recent blog on W32.Yimfoca.B, it was clear that W32.Yimfoca also received a facelift (no pun intended). W32.Yimfoca.B spreads through instant messaging applications and once installed will download and install W32.Yimfoca. The latest version of W32.Yimfoca is targeting Facebook users by prompting them to filling out surveys in return for access to their accounts.
On visiting Facebook, users are prompted with an overlay message, asking them to fill in a survey before gaining access to the site. The message reads:
Complete one of these surveys to gain access this page. Otherwise you will not have access to this page.
A loading dialog is then presented while you fill out the survey. Once it’s filled out you gain access to the site. The message reads:
You have only 3 minutes to fill out the selected survey or you will not have access to your account
An older message may have read:
You have only 3 minutes to fill out the selected survey or you will be banned from this site
These messages are updatable via an encrypted configuration file which we successfully decrypted:
The encrypted configuration file will also contain links to websites, which will prompt the user with more surveys in order to access the website content. These can be presented to the user based on keywords entered into the browser.
If you fail to fill out the survey you will be locked out while W32.Yimfoca is running. So long as W32.Yimfoca is running on your computer and you haven’t completed a survey you will be blocked from accessing facebook.com. Every time the malware restarts, its state is reset and you will be prompted to fill out a survey again to gain access (for example after a reboot).
If you fail to complete the survey you will be presented with this message:
You do not have access to you account because you do not complete any survey. Please come back later and tray again
This message doesn't disappear unless the user restarts the computer, effectively locking users out of their Facebook accounts on the compromised computer, unless they fill out a survey.
Survey spam is nothing new; however, this particular approach hasn’t been seen in malware to-date.
The surveys are coming from cpaleads.com, whose promotional video offers up to $1 for every survey completed, in effect making the bad guys really, really rich!
This malware is Internet Explorer centric, so visiting Facebook in other browsers will not display the survey-related blocking. Still, please ensure you have the latest available definitions to remove this threat. Furthermore, Facebook’s automated systems can detect when accounts may be compromised and put the account into a remediation state, meaning that is it not accessible until the user logs in and reviews relevant security information. More good news is that Facebook is blocking users’ ability to share links associated with this malware.
Both the malware and the survey-related spam usually rely on social engineering tactics, to either get installed or to get people to click on unwanted links. If you receive an unexpected link from a contact through an instant message you can always respond with a question about the link to verify it’s not malware spreading them. If you receive a link promoting a deal that sounds too good to be true—whether on a social network, via email or via Instant message—then usually it is!