Messages from facebook redirected to a possible infected site

[24ores]

The last hours i see a few messages on facebook profile saying that im tagged to a friend photo with a link under h....://195.244.61.38
a turkish site with a download link in it.I assume it is another virus,please inform me about it.

[polonus]

The redirecting domain was just recently registered: http://2013.netorginfo.com/20130131/bon.htm
Going to the site it has in Turkish

Firefox Extension Update
Please Refresh button, Firefox Add-Update your

Due to system errors and security vulnerabilities that are required by pressing the Reload button

Install Firefox Plug-in Update.

As long as you have not updated the site faydalanamayacaksınız features. 

Do you recognize having Google Enhancer firefox extension? Is it checked by firefox as a reliable extension?
The update site domain is 20 days old: http://www.statscrop.com/www/bond2-reawer.com
Nothing here: http://urlquery.net/report.php?id=1033633
But detected as a possible spammer: http://www.urlvoid.com/scan/bond2-reawer.com/ also -> (http://sitecheck.sucuri.net/results/www.bond2-reawer.com)
Probably your Google Enhancer became incompatible with firefox. The unnecessary part of the request is created by an outdated add-on for Firefox, meaning: requested URL /&sa=U&ei=KykiUebZCc7bqQG6mYHoCQ&ved=0CB8QFjAC&usg=AFQjCNFC5cnxNv7BOheL_jsiiSQ6X9UXbg.
It was going to the updater of that extension.
So nothing to worry about,

polonus

[24ores]

Τhx for your reply could you check another link  that i seen to those messages,h...://www.facebook.com/131224037048839

[Pondus]

seems it will only work when logged in.... and i don have facebook   

http://urlquery.net/report.php?id=1036022   click picture in top right corner

[24ores]

That url,  from facebook, redirects to another link h...://www.profonix--cod.tk/

[Pondus]

urlQuery   http://urlquery.net/report.php?id=1036089    see under Intrusion Detection Systems

Zulu analyser   http://zulu.zscaler.com/submission/show/c5e5dff2f24b5afe85aa8800a8b87605-1361215818

VirusTotal html scan
https://www.virustotal.com/nb/file/796d326c8274522f5245b9c12415a64d7bfb205d055f5548337f109408879243/analysis/1361216075/

First seen by VirusTotal
 2013-02-18 19:34:35 UTC ( 5 minutter ago )

Virustotal URL scan
https://www.virustotal.com/nb/url/beb1b846a2c52eb2ccddf9eca5be385eb3debe7140b9fabe3fea2f9e2d3ad7ee/analysis/1361216090/

[24ores]

Nope this one h...://www.facebook.com/131224037048839 goes to a picture and redirects to h...://www.profonix--cod.tk/
Thx for you help by the way

[Pondus]

edit above

[24ores]

Thank you for your help

[Pondus]

so seems new....
the bad guys always fish in the pond with most fish, and the biggest is facebook

[24ores]

One more address that redirects that message from facebook-h...://www.pvphosting.net/
We have a big problem in Greece as i see  from other profiles with that virus or whatever it is.

[Pondus]

tested with 5 scanners, got nothing.....yet

http://urlquery.net/report.php?id=1036211

[24ores]

Facebook moderators, as i see try for the best cleaning all those messages  from users profiles, i hope to get rid of with that virus soon.
In case i notice anything suspicious i will inform you again.
Greetings from Greece

[Pondus]

 

[polonus]

Hi Pondus,

Could it be this one: http://pastebin.com/3Yzsv0PW
See the like hostile code flagged here: http://urlquery.net/report.php?id=1036089
I reported on this earlier in our webforum section here: http://forum.avast.com/index.php?topic=102797.0 (218 views, no reactions)
Already high in the IDS alert charts during 2011:
The .tk domain is leased out and highly hostile. if you find some legitimate content in there we'd love to see it.
Other than a couple personal blogs we've been unable to do so. (And we really tried!)

 2012810 - ET CURRENT_EVENTS HTTP Request to a .tk Domain - Likely Hostile (current_events.rules)
 2012811 - ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile (current_events.rules)  (reported by/credits to matt jonkman-
Emerging Sigs on EmergingThreats  5/15/2011)
Also PHISHING going on from that IP - and long overdue issues -migrated from   178.211.44.113   178.211.44.113 to 46.45.177.101   


polonus