How Kilim spreads Malware in Facebook under the hood of spreading porn links
How Kilim spreads Malware in Facebook under the hood of spreading porn linksMalwarebytes

Were you shocked to see any porn video link on a friend's Facebook page recently? Has anyone tagged you on a similar post without your consent? Are you thinking the person might be a pervert and trying to block them? Don't, as the person is absolutely innocent and the one behind the entire saga is a malware.

Belonging to the notorious Kilim family, the malware may infect your computer and spread the malware using your Facebook account.

How it works

  • Malwarebytes reports, the malware uses a multi-layer redirection architecture, which uses the ow.ly URL shortener, Amazon web service and Box.com cloud storage.
  • For the uninitiated, URL shortener is an utility website responsible to shorten the URL or website address so that it can be easily forwarded or shared across people. Shortened URL actually redirects the user to URL shortening service, later the service forwards user to the desired website.
  • The malware comes under the hood of such an URL or website address. Once clicked, the victim gets forwarded to another shortened URL and later, to Amazon web service. The Amazon Web Service page redirects the victim to a malicious website, videomasars.healthcare.
  • The website then either redirects the user to a smartphone ad or to a link archived in shared cloud storage provider box.com account.
  • The individual box dot com account will execute a code for downloading a Trojan (malicious program) to the victims machine from box.com.
  • Once the user runs the file, the machine will get infected in a whip and transform into a bot for spreading the malware to all of his/her contacts and groups in Facebook.
  • Ridiculously, the malware spreads it via some meaty texts like "Sex photo's of teen girl in School" following a shortened URL, clicking which, it will get another victim. More astonishingly, the post includes a fishy porn image that might embarrass the victim in the social world.
  • The malware also adds some fishy extension on the victim's Chrome browser to execute in a much smooth way.

How to get rid of it

  • Think twice before clicking on any link. If the link is shortened, contact your friend and ask about the relevance of the link.
  • Check your facebook extensions and apps, remove immediately if any of them behave in a fishy way.
  • Remove all unnecessary Chrome or any browser extension immediately.
  • Any link leading you to unknown Dropbox or Box account must be avoided.
  • Never download any song, video or other material from an absolutely unknown URL.
  • Never click on any porn or similar links posted on your wall. If you're being tagged with any such content, remove the tag carefully and inform the victim.
  • If you're using a Windows PC, make sure your Windows Defender or Microsoft Security Essential tool is updated.
  • If possible, buy yourself an anti-virus or all-in-one security tool from any security developer like Norton, Kaspersky, F-Secure or Eset.
  • Even if you're using an Android smartphone, it is always recommended to buy an anti-virus app such as Lookout, Kaspersky to name a few.
  • Download a scanner app on Facebook, which can scan your entire wall for fictitious links. For instance, Norton Safe Web or ESET social media scanner.