Tweet

We’ve received reports about a new wave of malware spreading via Facebook, Yahoo! Messenger and Windows Live. Messages are spreading via these services that have the following text:

Foto http://{BLOCKED}otoon.com/photo.php?={random numbers}

Very similar attacks via social networks and instant messengers have taken place before:

• “Obama Accident” Instant Messages Used to Spread Malware
• Shortened URLs in IM Apps Lead to a Worm
• Spam with “Pictures” Used to Spread ZBOT
• Spammed IM Link to Fake Facebook Image Leads to Malware

If anything, this is a classic tactic used by malware. This particular attack is detected as WORM_IRCBOT.PHT.

WORM_IRCBOT.PHT’s routines are not particularly novel, but that doesn’t make them any less of a problem. In addition to sending out the messages it uses to propagate, it also connects to several Internet Relay Chat (IRC) servers. This effectively makes user systems part of a botnet, as cybercriminals use these servers to send commands to the system, including downloading other malicious files. The browser home page is also changed by WORM_IRCBOT.PHT.

Recent media reports have stated that IRC-based botnets such as the one formed by WORM_IRCBOT.PHT are “dying off”, but as this incident shows the threat still exists. In addition, malware authors are constantly changing their tactics to stay on top of user trends, including social networking.

In addition to detecting the malicious file, the websites hosting WORM_IRCBOT.PHT as well as the IRC servers are already blocked by Trend Micro products.