09/14/2012, Author: Sabrina Berkenkopf

Curiosity can have dire consequences on the Internet!

Attackers use Facebook to distribute malware pretending to be a photo

For some days, G Data Security Labs have been observing a campaign on Facebook that is trying to infect as many Facebook users as possible with malware. Messages that contain nothing but a hyperlink to file hosting service Sendspace are sent to the users' contacts.

The malware tries to disguise itself

Screenshot of a Facebook chat window with a URL which leads to a malicious fileThe displayed URL, which is generated randomly, provides no information about the type of file behind it. When the file is downloaded, it appears to be an image at first; at least that is what the displayed icon suggests.
Screenshot of the file icon and the file name. Both suggest that this is an image file

However, a look at the file extension reveals that it is actually a screensaver, which is indicated by the file extension .SCR and is an executable file. Current versions of Microsoft Windows, however, do not automatically display the file extension. Hence the visual disguise tempts unsuspecting users to click on the supposed image, thus making their computers accessible to attackers.

When a user double-clicks the file, no image appears; it looks like nothing happens. However, a look at the process monitor reveals that something is actually happening: the inconspicuous .SCR file turns out to be an executable malware file. The attackers have renamed the extension of the malware code from .EXE to .SCR to camouflage it further in addition to the icon. This renaming of the extension has no effect on whether the file can be executed.
G Data detects the described malware as Backdoor.Ircbot.ADKX and Win32:SdBot-HER [Trj].

The malicious functions

  1. On the one hand, the malicious file has a bot function; it has the IRC protocol embedded to use the specified login data to automatically join a defined chat room and wait for commands and updates from the bot master there.

  2. On the other hand, the file also has the properties of a worm. The worm functionality has been included for spreading the malware file. Even though the basic properties of a worm are prepared in the source code, no explicit actions and destinations have been implemented yet. However, these could be loaded via an IRC connection at any time.

  3. But wait, there's more: The file also has the option to create malicious autorun.inf files and load them onto portable devices (USB stick, multi-media hard drive).

  4. In the source code, no code has been identified that points directly to the spreading of the malware file or links to it on Facebook. However, since this is an IRC-based bot, it can receive commands to do this or download new malware files that perform this task at any time.

 
Since the start of the campaign, the file has been updated at least once and packed in a more complex way using changed packers to make it more difficult for AV software to detect the file. The file name has also been changed.

The attackers can use a different file hosting service for distributing their malicious files at any time and can also exchange the actual malicious file at any time in order to infect their victims with a different type of malware.

Facebook tips

  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, web and real-time protection. A spam filter that protects you from unwanted spam mails also makes sense.
  • Have the file extensions displayed in your Microsoft Windows operating system. Instructions for the different versions as well as a fix-it are available on the Microsoft website "How to show or hide file name extensions in Windows Explorer".
  • Do not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it is authentic.
  • Users should not surf the net while logged on to services such as social networks. Cyber fraudsters might be manipulating the session.
  • Users should always log off from services such as social networks when they are done using them. This is particularly important if they are using a public computer, e.g. in a library, but it also makes sense on the home PC.

Share this article

G DATA | Trust in German Sicherheit