The latest round of Facebook-related malware has been found inadvertently hosted on an Indian government site dedicated to women from the southern state of Kerala. The malicious file, detected by K7 security products as Riskware (0015e4f01), bears a name of the following format:
facebook-pic000<5 digits>.exe
where <5 digits> represents a 5-digit number.
To an IT security professional such a filename, and the URL hosting it, show clear danger signals. One does not generally require an explicit EXE to view Facebook pictures, and it is probably unusual for a government site in India to host EXEs, and that too related to a public social networking site.
The server hosting the site for ladies from Kerala has clearly been compromised. The owners of the compromised domain have been advised to review their site and the procedures in place to secure it against hacking.
In general we urge extreme caution when browsing sites which serve up incongruous, unexpected executable files using various social engineering techniques.
Samir Mody
Senior Manager K7TCL
