Update from Facebook:
- The Facebook security team been actively tracking this botnet and providing McAfee AV to the victims (via Scan and Repair)
- The sample covered is out of date, and the malware now works differently
- Any users infected with this malware should be pointed to the McAfee self-checkpoint on.fb.me/InfectedMcA
Malware authors are fond of using social networking sites to spread their well crafted malwares. We have recently discovered a botnet malware that receives commands from a remote attacker and spreads through different messengers to reach a victim’s machine.
These bots mostly come with the filename Picturexx.JPG_www.facebook.com.
This malware is designed to post a download URL in chat windows of different messengers including ICQ, Skype, GTalk, Pidgin, MSN, YIM, and Facebook’s web chat.
The victim sees a chat window from an unknown contact with a link promising some interesting video. This is a typical trick used by malware authors. When the user clicks the link, malware gets downloaded to the machine, and infects it.
The chat window that appears to victims looks very real.
Once the malware has successfully executed on the victim’s machine, it bypasses the firewall in two ways:
- Directly with netsh, by using the command line “netsh firewall allowed program”
- By modifying the firewall policy, making a registry modification to add an allowed program, the malware
A sample copy is dropped into the Windows folder and flagged with system, hidden, and read-only attributes.
The malware chooses any of the following paths to drop a copy:
A run entry is made to ensure that the sample is reloaded when the machine reboots.
The malware does a series of checks for antimalware scanners, Windows updates, and even Yahoo updates and then disables them:
Once a service is selected, the malware runs a routine to disable it. The malware also changes the Internet Explorer start page, and modifies the preference file of Chrome and Firefox.
This bot receives commands from a remote attacker. The sample copy dropped in the Windows folder is mdm.exe. We can see the commands sent by the remote attacker and what they mean below:
The malware enumerates chat windows in the victim’s machine and posts its lure, the message that promises an interesting video. The operation works like any other spam in a chat window: The malware finds Skype’s or another window and posts the message using PostMessageA.
We can see below how a request is sent for a chat request on Facebook’s chat window with POST /ajax/chat/buddy_list.php:
This worm spreads through Facebook with the help of the ajax command and appears in the chat window, making the user believe that the message came from one of the victim’s contacts.
Fortunately, removing this worm from the victim’s machine is relatively easy. We kill the running instances of this process using Process Explorer or Task Manager. The start-up entry made by the malware must be cleared as well to avoid its reloading after rebooting.
McAfee’s Scan and Repair tool will remove this malware by check-pointing the victim. We advise customers to keep their antimalware software updated and to not click unknown links.
Let’s face it: Most people–even folks in the security industry–have a hard time explaining botnets (robot networks of infected computers) in a way that your Uncle Joe or Aunt Betty can understand. Is it really a big deal? Yes, it is. With the rapid growth in malware and bot infections we’re seeing, it’s important for everyone to get up to speed on this threat vector. So we got colorful and created an “infographic” that, we hope, nails the botnet lifecycle and economics just right–not too technical, not too simple. If you like it, please feel free to repost. It’s issued under a Creative Commons License. You can download the JPG here.