Contrary to our earlier post, rather than using the "Like" feature, we now think the malware was spreading by posting directly to Facebook accounts. The posted link used the Like feature's icon rather than icons used by Links or Videos.
Here's what Facebook search revealed a couple of hours ago:
And this is an example from a user's Wall:
The "LOL, just found new tube site" link didn't reference any .php as the others.
Here you can see the same site, newtubes.in, was used on Sunday:
The subject was "Boobs Too Big For Seatbelt".
The bad guys attempted, and failed, to launch their attack during the Memorial Day holiday weekend, with big boobs.
As mentioned earlier today, the attack site was Geo-IP and OS aware, and focused only on USA/UK IP addresses. All others were safely redirect to youtube.com. It also employed anti-analysis evasion techniques, such as blocking IP address that visited too frequently. This was a highly professional attack using well developed techniques.
