Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor – BKDR_LIFTOH.DLF – which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.

    DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.

    These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.

    Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.

    Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.

    WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF.  One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.

    Moreover, this backdoor also has the capability to edit its configuration from its C&C server.

    Figure 1. BKDR_LIFTOH.DLF Configuration

    Figure 1. BKDR_LIFTOH.DLF configuration

    In the screenshot above, the configuration consists of the C&C servers, connection timeout, max number of connection attempts, and malware build version. This shows that the malware can switch to different C&C servers to remain undetected. On the other hand, its buildid field is build1, which means that the malware is in its first version and we can possibly see other versions of this backdoor in the near future.

    Aside from WORM_DORKBOT.SME, this backdoor also downloads another malware, which is detected as WORM_KUVAA.A. This worm searches for c_user and xs Facebook cookies on the infected system to bypass authentication for Facebook. It then checks for the following browsers or applications if running in memory:

    • Safari
    • Opera
    • Internet Explorer
    • Firefox
    • Chrome
    • Facebook Messenger

    Figure 2. Utilizing Facebook features, c_user and xs cookies and fb_dtsg

    Figure 2. Utilizing Facebook features, c_user and xs cookies and fb_dtsg

    The malware then utilizes the Anti-CSRF (Cross-site request forgery) token, fb_dtsg, to send spammed messages to the logged-in user’s friends. The spammed message contains the URL where its copy can be downloaded together with a suggestive picture written in 11 different languages depending on the system locale of the system.


    Figure 3. Copy of the spammed message in Facebook

    Figure 4. Messages written in different languages

    Figure 4. Messages written in different languages

    While IM worms are not new anymore, they remain to be prevalent because cybercriminals and other bad guys are continuously refining these malware. Trend Micro protects users from these threats via its Smart Protection Network that detects these malicious files and blocks all-related URLs.

    As an added precaution, you must always be on-guard when it comes to receiving files and links from contacts via IM applications. You’ll never know when the bad guys will strike next.

    With additional analysis and screenshots from Threat response engineers Rhena Inocencio and Almond Rejuso

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice