Malware targeting Facebook

June 18, 2010

SonicWALL UTM Research team observed reports of a new Facebook malware being spammed via private messages through Facebook. The message pretends to contain link to a photo album but eventually leads to download of the malware.

Thousands of users were reportedly affected by this malware. Messages sent by the malware from the infected machine looks like:

  • "You? I find it on google. http://www.onli(REMOVED)albums.org/Ephraim_Garlit"
  • "That yours? I find it on google. http://www.onli(REMOVED)albums.org/Rhoda_Octavia"

If the recipient user clicks the link, it leads them to a malicious site that looks like:

screenshot

Malware gets downloaded when user clicks on the photo album:

screenshot

If the user attempts to open the downloaded executable it will perform following activities:

  • It displays a dialog box showing a fake message of filetype not supported by OS:

    screenshot

  • It drops three malicious executable files and executes them:
    • (TEMP)1.exe
    • (TEMP)2.exe
    • (TEMP)3.exe

Process 1.exe

This process scans for any open Internet Explorer or Firefox instances and terminates them to ensure that code injected by process 3.exe gets executed during next browsing session.

Process 2.exe

This process performs following file and registry modifications:

  • Drops a copy of itself at (Application Data)dfw.exe [Detected as GAV: Kbot.ANJ (Trojan)]

  • Adds registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundfw.exe: ""(Application Data)dfw.exe"" to ensure that it runs on system restart.

  • Memory dump showing the strings related to Facebook during this process run:

    • screenshot

Process 3.exe

  • Scans for security related processes like Kaspersky, F-Secure, Comodo and terminates them when found.

  • Attempts to disable System Restore functionality.

  • Drops a malicious DLL at (Application Data)Windows Serverckiobo.dll [Detected as GAV: Small.ACMO (Trojan)]

  • Adds registry entries
    • HKLMSYSTEMControlSet001ControlSession ManagerAppCertDllsAppSecDll: "(Application Data)Windows Serverckiobo.dll"
    • HKLMSYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll: "(Application Data)Windows Serverckiobo.dll"

  • Injects malicious DLL code into the memory which gets executed when user attempts to connect to Facebook via IE or Firefox.

  • Deletes itself.

Following HTTP requests were initiated by the malware once the user logs onto Facebook on an infected machine:

  • GET /message.php?subid=284&version=_nn2&id=(REMOVED)XAOBd00TglD6O HTTP/1.1 Host: smartcontrol.info
  • GET /ab/setup.php?act=filters&id=(REMOVED)Qf7E4s2t&ver=2 HTTP/1.1 Host: spmfb3309.com
  • POST /ab/setup.php?act=data HTTP/1.1 Host: spmfb3309.com

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Kbot.ANJ (Trojan) signature.