A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor - BKDR_LIFTOH.DLF - which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.
DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.
These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.
Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.
Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.
WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF. One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.
Moreover, this backdoor also has the capability to edit its configuration from its C&C server.
Figure 1. BKDR_LIFTOH.DLF configuration
In the screenshot above, the configuration consists of the C&C servers, connection timeout, max number of connection attempts, and malware build version. This shows that the malware can switch to different C&C servers to remain undetected. On the other hand, its buildid field is build1, which means that the malware is in its first version and we can possibly see other versions of this backdoor in the near future.
Aside from WORM_DORKBOT.SME, this backdoor also downloads another malware, which is detected as WORM_KUVAA.A. This worm searches for c_user and xs Facebook cookies on the infected system to bypass authentication for Facebook. It then checks for the following browsers or applications if running in memory:
- Internet Explorer
- Facebook Messenger
Figure 2. Utilizing Facebook features, c_user and xs cookies and fb_dtsg