Archived Blog Hosting Malware

03.31.2008 -

Websense Security Labs has been tracking the use of as a hosting site for malware for several months. The popular Web 2.0 social networking Web site, ranked 252 by Alexa (Alexa Ranking), is both the largest Facebook application developer and a free and easy place to host malware.

Having tracked the various ways malware is hosted on the site, it appears most popular with attackers targeting Spanish- and Portuguese-speaking audiences. We have seen targeted attacks with fake YouTube email lures in Portuguese that link to malware hosted on

Screenshot of Portuguese YouTube Lure:

We have also been tracking several Trojans that connect and download more malware from The Trojans connect to a Web site to read a config file, and then download more malware. The malware is then spread via email. Many of the email messages include links to malware hosted at

Screenshot of Config File:

Apparently, does not check file types uploaded to the site. On a page that hosts malware, the malware is served as "Content-Type: image/jpeg". The Linux file command, however, identifies the file as "MS-DOS executable PE .... PECompact2 compressed".

Screenshot of WGET of URL:

Screenshot of File Command:

Security Researcher: Ali Mesdaq

Bookmark This Post: