For some days, G Data Security Labs have been observing a campaign on Facebook that is trying to infect as many Facebook users as possible with malware. Messages that contain nothing but a hyperlink to file hosting service Sendspace are sent to the users' contacts.
The displayed URL, which is generated randomly, provides no information about the type of file behind it. When the file is downloaded, it appears to be an image at first; at least that is what the displayed icon suggests.
However, a look at the file extension reveals that it is actually a screensaver, which is indicated by the file extension .SCR and is an executable file. Current versions of Microsoft Windows, however, do not automatically display the file extension. Hence the visual disguise tempts unsuspecting users to click on the supposed image, thus making their computers accessible to attackers.
When a user double-clicks the file, no image appears; it looks like nothing happens. However, a look at the process monitor reveals that something is actually happening: the inconspicuous .SCR file turns out to be an executable malware file. The attackers have renamed the extension of the malware code from .EXE to .SCR to camouflage it further in addition to the icon. This renaming of the extension has no effect on whether the file can be executed.
G Data detects the described malware as Backdoor.Ircbot.ADKX and Win32:SdBot-HER [Trj].
Since the start of the campaign, the file has been updated at least once and packed in a more complex way using changed packers to make it more difficult for AV software to detect the file. The file name has also been changed.
The attackers can use a different file hosting service for distributing their malicious files at any time and can also exchange the actual malicious file at any time in order to infect their victims with a different type of malware.