TeMerc
join:2004-01-22
Phoenix, AZ
|  Facebook Widget Installs Zango
2008.January.02
Fortinet Global Security Research Team discovered a malicious Facebook Widget (officially, a "Platform Application") actively spreading on the social networking site which ultimately prompts users to install the infamous "Zango" adware/spyware.
The malicious widget, called "Secret Crush" first appears as a Facebook request 'secret crush'.
In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush'.
Clicking the "Find Out Who!" button leads to the standard third-party application install page essentially stating that the referred application will be granted access to user's details upon installation.
»www.fortiguardcenter.com/advisor···-16.html |
|
TeMerc
join:2004-01-22
Phoenix, AZ
| Detailed analysis here:
»holisticinfosec.blogspot.com/200···ook.html
IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango
URLs:
hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
hxx//installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
hxx//installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
hxx//static.zangocash.com/Setup/Update/
hxx//public.zangocash.com/php/rpc_uci.php
hxxp://te.seekmo.com/TrackedEvent.aspx
hxxp://te1.zango.com/te.aspx
Links munged to avoid any one clicking. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
1 edit |  Thanks for the warning.
from the 2nd link
"...
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
.."
I would call it adware if a user knowingly installs a piece of software that could, without the consent fact, be classified as spyware
edit: by knowingly I meant being aware of and having read and understood the Eula (as much as Eulas can be understood)
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006-2007 |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| I must be in a bad mood today. 
I've come to the conclusion that a name change (researchware?) doesn't change the function.
»en.wikipedia.org/wiki/Duck_test
--
I do hereby call for more authoritative links and fewer opinions.
|
|
TeMerc
join:2004-01-22
Phoenix, AZ
| reply to TeMerc
Rebuttal by Zango below and FYI »blog.zango.com/PermaLink,guid,94···71b.aspx
Zango Advisory: As of this posting, the Zango security team has observed that the Secret Crush widget on Facebook is now called the “My Admirer” widget.
So if it's so innocent why the name change?? |
|
mysec
Premium
join:2005-11-29
| reply to TeMerc
Question for the Facebook "experts":
The Fortinet writeup states that in order for the user to "Find out who" -- she/he has to agree to install an executable file.
Is this (installing an executable file) a common occurrence on Facebook to participate in different activities?
----
rich |
|
SurfinGenie
Premium
join:2005-03-17
Huntington Beach, CA
| reply to TeMerc
Some updated info from Fortinet:
quote:
As of January 4, 2008 the widget's installed user base has grown from 3% to 4% of Facebook users, and has changed its name from "Secret Crush" to "My Admirer". Further, when attempting to install the "My Admirer" widget, the message: "The developer of this application does not currently allow it to be added." appears, halting the installation process.
Scroll down link [ close to bottom ]
»www.fortiguardcenter.com/advisor···-16.html
-k-
--
Surf safely !!! |
|
mysec
Premium
join:2005-11-29
| reply to mysec
said by mysec  :Is this (installing an executable file) a common occurrence on Facebook to participate in different activities?
I found my answer:
»www.internetnews.com/security/ar···/3719851
quote:
The current system places the onus of security entirely on Facebook users, who are so accustomed to installing third-party applications that come recommended by friends that security concerns are often overlooked, Manky said.
Hmmm....
----
rich |
|
TeMerc
join:2004-01-22
Phoenix, AZ | reply to TeMerc
Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| said by TeMerc :Social engineering working to its potential. People go online and think because they're sitting in their homes they can't get 'hurt'. And don't forget this aspect - what teenager wouldn't want to know who's 'admiring' them secretly over being security-minded.
--
Proud Member of ASAP
DSLR Phishtracker |
|
mysec
Premium
join:2005-11-29
1 edit | I see this is all a part of Facebook's "Third Party Developer Platform" which encourages people to write their own applications for use on the site.
Nice, in theory. A can of worms, in practice.
How can one ever be sure when installing executables on an open social network site?
I have just two families that use these - I think one uses Facebook.
In one family, the kids are young and the computer has Anti-Executable installed which lets the parents control what gets installed.
In the other, the older teenager is in charge of her own computer. She knows not to click-to-install anything that pops up (plug-ins, etc), but this is different.
It's ridiculous to use untrusted/unknown executables as part of this social stuff.
If you tell kids to say "No" to everything, they will be deprived of part of the experience of the site.
----
rich |
|
mysec
Premium
join:2005-11-29
| Some links:
Facebook Launches Facebook Platform; They are the Anti-MySpace
»www.techcrunch.com/2007/05/24/fa···myspace/
quote:
The payoff is two way. Not only do developers get deep access to Facebook's twenty million users, Facebook also becomes a rich platform for third party applications.
Facebook's strategy is almost the polar opposite from MySpace. While MySpace frets over third party widgets, alternatively shutting them down or acquiring them, Facebook is now opening up its core functions to all outside developers.
Platform Application Terms of Use
»developers.facebook.com/user_terms.php
quote:
III. Use of Platform Applications
(a) Developer Applications. When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook, and we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.
Developers may require you to agree to their own terms of service, privacy policies and/or other policies as a condition of using Developer Applications. Those terms and/or policies may give Developers rights with respect to your Facebook Site Information beyond those provided by the Developer Agreement. PLEASE REVIEW EACH DEVELOPER'S TERMS AND/OR POLICIES CAREFULLY.
|
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to TeMerc
I tried to run it from the Facebook link in my sandbox, it wouldn't install for me. Looks like admin privileges are a requirement. I guess it's not surprising people aren't following the basic security steps that (even) Microsoft recommends.
--
Interested in open source engine management for your Subaru? |
|
mysec
Premium
join:2005-11-29
| Blocking unwanted executables from installing is one thing.
In Facebook's case, users encounter third-party applications as part of the site's design, and they choose to install them.
With Facebook's policy,
quote:
we are not responsible for your use of or inability to use any Developer Applications, including without limitation the content, accuracy, or reliability of such Developer Application and the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK.
the user is in a quandry.
In my case in working with users, installing from trusted sources is the foundation of part of security. I've never had a user get hit with a virus.
If users can't trust Facebook's third party applications, to wit:
quote:
When you install a Developer Application, you understand that such Developer Application has not been approved, endorsed, or reviewed in any manner by Facebook,
what recourse do these users have?
If you choose to avoid all third party applications, then you miss out on part of the idea of social interaction of the site.
----
rich |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| reply to mysec
said by mysec :... It's ridiculous to use untrusted/unknown executables as part of this social stuff. ... Fixed it!
This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances without first thoroughly checking them out or checking with somebody knowledgeable who can check them out.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
mysec
Premium
join:2005-11-29
2 edits | said by Blackbird :This social stuff is merely a subset (however compelling) of general online computer useage. If there's one lesson that needs to be hammered home to new or young users is to never, without exception, use any such executables under any circumstances...
I have no quarrel with that policy, and I've advised the teenager I referred to, to continue with that, as she has always done.
My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers.
Their policy is to put the onus on its users, which will result in
1) more users becoming victims
2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether, unless:
said by Blackbird :... without first thoroughly checking them out or checking with somebody knowledgeable who can check them out.
Agreed, but in this case, Facebook has created a mess, since use of these types of applications are so common on the site.
----
rich |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by mysec :... My beef is that Facebook has embarked on waters where its users are in a boat with no life raft, which should be provided by Facebook as a policy to screen all applications put up by it's third-party developers. Their policy is to put the onus on its users, which will result in 1) more users becoming victims 2) users with good security policies missing out on what should be a useful and fun place by avoiding these applications altogether ... Which brings us full circle to one of the growing problems with all too many corporations in the early 21st Century: a myopic focus on the bottom line extinguishing a genuine sense of social responsibility, particularly in a world of rampant litigation.
I'm convinced that the reason for Facebook not screening all apps are the up-front costs to perform meaningful screening and Facebook's risk of liability when attesting (whether by overt 'certification' or by merely accepting) an app as "safe". So, indeed, the onus is being kicked on down to the user, irregardless of whether the "user" has the experience or judgement needed to navigate the resulting Facebook safely. In some ways, this practice seems like giving bright, shiny toys to toddlers and expecting those toddlers to make smart determinations regarding parts that can be swallowed or paint that contains lead...
I believe what Facebook (and some other similar sites) fail to realize is that at some point, the risks and damaging fallout of using their services with wide-open apps will eventually become so blatant and so obvious to even the inexperienced that the user base will plummet. Word - good, bad, and even erroneous - does travel in this interconnected age.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
mysec
Premium
join:2005-11-29 | You've said it all in a nutshell.
I don't know if there is any solution other than to spread the word, which I've done in contacting several families.
----
rich |
|
TeMerc
join:2004-01-22
Phoenix, AZ
| reply to TeMerc
Posted by Caroline McCarthy
January 7, 2008
Good riddance: Facebook has banned the "Secret Crush" application due to its affiliation with a notorious spyware manufacturer.
The social-networking site confirmed the breakup on Monday: "Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware," a statement from the company read. "We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."
»www.news.com/8301-13577_3-984317···1_3-0-20 |
|
TeMerc
join:2004-01-22
Phoenix, AZ
| reply to TeMerc
PG weighs in on the whole Facebook\Zango thing and oddly enough, or rightly so, is almost on Zango's side. Ya you read that right.
Like everyone else, I went "ooooh" when I first heard about this. For those who don't know, an application on Facebook - when you installed it - "installed Zango spyware" (according to the numerous writeups), meaning the Zango Adware was the final destination, the main reason, for making this application in the first place.
However, Zango came out swinging with their latest blog post and also claimed they have no affiliation with the makers of the Secret Crush application, which seems a little odd considering the maker of the application would have no direct incentive to install their Adware if they didn't have an account with them.
They also posted up a screenshot that seems to show the application merely showing randomly selected adverts - not just an advert for Zango
»www.vitalsecurity.org/2008/01/so···-on.html |
|
