Facebook Voltor Malware Analyzed
A nasty link is being auto-spammed on Facebook these days and this article will look into
what it actually does. I'm calling it the "Voltor Malware" since the main domain involved
seems to be voltor.info where most of their material is hosted, in addition to several random
blogspot domains.
Everything you see about the website screenshot above is
FAKE
including the Facebook layout.
How Does It Work?
The link usually appears in the format somethingrandom.blogspot.com and will present
you with a screen similar to above to install a fake/false/malicious youtube addon. This addon
again uses a method called a CSRF-attack (Cross-site request forgery) to send a similar
link to all your Facebook friends by using Facebook's first_degree.php (JSON result)
script with your own user_id that's stored into a cookie called c_user when you are logged in.
Abusing your friend-list is the only malicious thing it does except firing off
a couple of spam videos. This is more than enough reason to get rid of it though.
How Do I Remove It?
HELP ME I CLICKED IT, WHAT SHOULD I DO?! Go to your browser tools and remove the expansion/addon
called Youtube with spanish description (hard to miss) and restart the browser. The malware's install
functionality only seems to support an addon for FireFox or Chrome. If it detects that you are not
using one of those, the link from the screen above will take you directly to their spam videos
without installing anything and you should be safe. Regardless, it should be easy to check if you
have a spanish Youtube addon installed in your browser.
Technical Details
I was going to post a lot of the JavaScript code involved, but most of it is redundant even after
de-obfuscating it and there's no real point in posting it. If you want to take a look for yourself,
you'll need to start with this script: elchavo.info/script.js - only recommended if you
know what you're doing.
This document was last updated December 18th, 2011.
