Kilim Facebook Worm Promises Explicit Pics

Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.

The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.

If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two links – first to an Amazon Web Services page and then a malicious site,, which apparently checks their computer.

This domain filters potential victims “by identifying which user-agent their browser is showing in possibly the most complete – but not necessarily efficient – way we have ever seen,” claimed Segura.

Those on mobile devices are merely redirected to an affiliate ad page, while desktop users are hit with a malicious file hosted on cloud storage service Box and detected as Trojan.Agent.ED.

Segura continued:

“This binary is responsible for downloading additional resources (the worm component) from another resource ( Here we find a malicious Chrome extension and additional binaries (scvhost.exe and son.exe). Additional code is retrieved by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site,, to spread the worm via Facebook.”

A rogue Chrome extension is also injected but the attackers disable the extensions page in the browser so users can’t check or remove it.

In addition, the malware creates a shortcut for Chrome which launches a malicious app in the browser straight to Facebook.

“In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features,” said Segura.

“Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.”

Once infected with the trojan, the user’s computer is effectively turned into a bot and will send out the original link to his/her Facebook contacts.

Security experts were quick to warn users to “think before they click.”

“As per usual, the advice would be to never install software that pops up from a link, especially if you didn’t specifically go to the site to install it,” said Clearswift SVP products, Guy Bunker.

“And if it looks too good to be true, then it probably is. Whether it is about free revealing photos or a really good deal on an iPad. Remember, sensationalized story headlines are great for media writers, but they are also great for phishers and malware.”

James Maude, security engineer at endpoint security firm Avecto, argued that these kind of threats will continue to evolve, and require greater alertness on the part of the user to mitigate.

“We have already witnessed such attacks using IM services to target mobile users particularly on the Android platform. Increased adoption of cloud services has also led to attackers harnessing Dropbox and AWS services to deliver malware,” he said.

“In cybersecurity we must seek to defend the user from themselves as well as the attackers. This is driving the shift towards containment and sandboxing technologies that isolate threats and protect the user.”

What’s Hot on Infosecurity Magazine?