The ‘Gen:Variant.Downloader.167' Trojan was first spotted by researchers at security firm Bitdefender on 13 May. It targets users of Facebook instant messaging and Yahoo Messenger (YM) and fools them into downloading its payload by pretending to be from a friend asking them a question.
Bitdefender chief security strategist Catalin Cosoi says it disarms people and triggers their curiosity “by asking a wonderfully polite question such as ‘I want to post these pictures on Facebook. Do you think it's OK?'.” The malware also reassures victims by providing a link to storage services Dropbox or Fileswap, which are frequently used for sharing files, where they can supposedly view the pictures.
The Trojan has multiple capabilities. It can be used to capture user credentials, download additional malware or do whatever its command-and-control centre orders. Once it has infected a user, it accesses their contacts list and spreads itself across their network of friends.
Bizarrely, the malware also hides some of its encrypted data behind biblical verses, specifically fragments of the first epistle of Paul the Apostle to the Corinthians, such as “Paul, called [to be] an apostle of Jesus Christ through the will of God, and Sosthenes [our] brother”.
Bitdefender has so far blocked the Trojan from infecting over 1,300 systems mainly in Romania, Germany, Canada and Japan, with some cases in the UK and other countries.
Cosoi told SCMagazineUK.com by email: “So far only a few systems in the UK have been detected as hosting the Trojan. However, numbers could rise from one day to another as the Trojan is spreading via Facebook and Yahoo Messenger and looks like it is coming from a friend.”
Downloader.167 has so far been seen only on Facebook and YM but could spread. “The Trojan is not platform-limited,” Cosoi said. Bitdefender has not located its source country or region.
Cosoi told SC its polite approach “definitely works, especially because victims themselves are the ones infecting future users. Many people fall for the scam because it uses social engineering. It's hard not to click on a Dropbox or Fileswap link loaded with pictures of your friends awaiting validation!”
Commenting on the malware, other industry experts pointed to the threat it poses to organisations through its disarming approach and its prevalence on ‘friendly' social media platforms.
Bob Tarzey, director of independent analyst and research firm Quocirca, told SCMagazineUK.com: “The clever thing about using Facebook and making messages seem to come from ‘friends' is the level of trust we are likely to place in it and also the more casual way in which we use such tools.
“When using email for business a well-informed user will tend to be on their guard, whilst Facebook tends to be a more relaxed place for contacting friends.”
Fran Howarth, senior security analyst at Bloor Research, agreed: “One of the greatest dangers to organisations of exploits such as these is that many users have a preference for using services such as Facebook and Yahoo that are largely out of the control of IT in many organisations.
“Organisations should respond by placing controls around the use of such social media and other instant messaging applications, such as by blocking the ability to download files through such services or click on links that they contain.”
Howarth added: “The use of socially engineered text is a key method of spreading malware via instant messaging systems as such messages appeal to the interests of users, in this case of social media sites, as they appear to originate from their friends. Such threats have been in existence for the past decade or so - but instant messaging continues to grow in popularity.”
Bitdefender said that, once it is on a user's machine, the Trojan installs itself by creating a folder with a random name and an .EXE extension.
It then presents an error message to the user designed to avoid suspicion which reads: “This application is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.” The downloader can also restart and update itself.