{ "id": "15a7c821-714e-48f2-af0f-c6c88f7210f9", "created_at": "2026-04-06T00:21:41.979276Z", "updated_at": "2026-04-10T03:20:56.630165Z", "deleted_at": null, "sha1_hash": "688196da6bb321d988281fffa70d98f3dfd25e90", "title": "ZeuS spreading via Facebook | eternal-todo.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 331448, "plain_text": "ZeuS spreading via Facebook | eternal-todo.com\r\nArchived: 2026-04-05 16:10:26 UTC\r\nHome » Blog » ZeuS spreading via Facebook\r\nBotnet\r\nMalware\r\nPDF\r\nSocial Networking\r\nVulnerabilities\r\nZeuS\r\nZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of\r\ncourse, the best-known social networking site couldn't be out of this. Last week we could see some Facebook\r\nmessages like the following:\r\nThe link in the message would take the users to a Facebook phishing page where they were requested to\r\nauthenticate. Simultaneously, obfuscated Javascript code was being executed, creating a hidden iframe in the page\r\nbody:\r\nThis iframe redirected the user to another web page with two more iframes:\r\nhttp://eternal-todo.com/blog/zeus-spreading-facebook\r\nPage 1 of 5\n\n\u003ciframe g1g=\"321\" src=\"xd/pdf.pdf\" l=\"56\" height=\"31\" width=\"13\"\u003e\r\n\u003ciframe g1g=\"321\" src=\"xd/sNode.php\" l=\"56\" height=\"31\" width=\"13\"\u003e\r\nAfter advancing further, we arrived to a directory listing in the same server:\r\nThe PDF file intended to be downloaded was a malicious file executing obfuscated Javascript code and containing\r\nthree vulnerabilities, which were exploited depending on the PDF reader version in use:\r\nThe three exploits had identical shellcode:\r\nhttp://eternal-todo.com/blog/zeus-spreading-facebook\r\nPage 2 of 5\n\nAs it can see seen, the shellcode allowed downloading and launching a binary from the URL of the last image.\r\nThis binary was a ZeuS sample, version 1.3.2.4, which was installed in the system as sdra64.exe.\r\nOn the other hand, the sNode.php file would try to exploit a flash vulnerability through the execution of the\r\nnowTrue.swf file after loading in memory a shellcode very similar to the last one, but in this case the binary was\r\ndownloaded from the following URL:\r\nhxxp://109.95.115.35/fsp/load.php?id=5\r\nThis binary had a different MD5, but its behavior was identical, being a 1.3.2.4. version ZeuS too.\r\nAdditionally, when the data requested is filled in the Facebook phishing page they are sent to another URL. At the\r\nmoment of the analysis this URL contained an incorrect domain, not redirecting correctly:\r\nHowever, after changing this malformed domain by the IP server, it became possible to get to the desired web\r\npage, where a pop-up would inform about the need to upload the Adobe Flash Player version and provide a new\r\nbinary called update.exe to do it. There was another link in the same page to download another binary, photo.exe,\r\nwith the same MD5 as update.exe. Both of them have a different MD5 than the rest of commented binaries, but\r\nthey still have the same behavior: 1.3.2.4 version ZeuS.\r\nhttp://eternal-todo.com/blog/zeus-spreading-facebook\r\nPage 3 of 5\n\nIf unfortunately any of you have visited any of the mentioned links you can check if you are infected following\r\nthe tips published some months ago.\r\nSubmitted by jesparza on Tue, 2010/02/02 - 12:45\r\nEspañol\r\nhttp://eternal-todo.com/blog/zeus-spreading-facebook\r\nPage 4 of 5\n\nSource: http://eternal-todo.com/blog/zeus-spreading-facebook\r\nhttp://eternal-todo.com/blog/zeus-spreading-facebook\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "http://eternal-todo.com/blog/zeus-spreading-facebook" ], "report_names": [ "zeus-spreading-facebook" ], "threat_actors": [], "ts_created_at": 1775434901, "ts_updated_at": 1775791256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/688196da6bb321d988281fffa70d98f3dfd25e90.pdf", "text": "https://archive.orkl.eu/688196da6bb321d988281fffa70d98f3dfd25e90.txt", "img": "https://archive.orkl.eu/688196da6bb321d988281fffa70d98f3dfd25e90.jpg" } }