[funsec] Zango spyware spreading with Facebook application

Juha-Matti Laurio juha-matti.laurio at netti.fi
Thu Jan 3 19:37:11 CST 2008


The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe.

This is the procedure:
"In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush"."

The text included to the request entry is "One of Your Friends Might Have a Crush on You!" providing normal 'Find Out Who!' and 'Ignore' buttons.

Advisory from Fortinet:
"Facebook Widget Installing Spyware"
http://www.fortiguardcenter.com/advisory/FGA-2007-16.html

SecuriTeam Blogs:
"My name is Zango, I am spyware and I found Facebook applications"
http://blogs.securiteam.com/?p=1056

At time of writing it's not know if AV vendors offering Zango protection have protection for this Static.ZangoCash.com download process too.

An interesting reference:
"When is a Facebook Really a MySpace?"
http://www.allfacebook.com/2008/01/when-is-a-facebook-really-a-myspace/

listing a very remarkable installation base :-(

Juha-Matti


More information about the funsec mailing list