A new attack is spreading via Facebook and several instant messaging applications. Its chief payload is a backdoor – BKDR_LIFTOH.DLF – which allows its attackers to take control of the infected systems. It spreads by using two worms, once of which is a new variant of the rather notorious DORKBOT family.
DORKBOT is known for for spreading via social media and instant messaging applications (e.g.Skype and mIRC etc.), is now found propagating in multi-protocol instant messaging (IM) apps like Quiet Internet Pager and Digsby.
These apps enable users to communicate via various IM apps. Digsby supports AIM, MSN, Yahoo, ICQ, Google Talk, Jabber, and Facebook Chat accounts while Quiet Internet Pager supports at least four different IM services. Thus, this malware may potentially affect more users because of its wider launchpad for propagation.
Detected as WORM_DORKBOT.SME, this worm sends out shortened URLs to the contacts found in the IM client of the infected system. These URLs point to a file, which is actually an updated copy of DORKBOT uploaded to the file-hosting site Mediafire. This is probably a maneuver to evade detection and easy removal from the system.
Aside from its propagation routines, DORKBOT is also known for its capability to steal login credentials by hooking APIs to certain web browsers.
WORM_DORKBOT.SME is downloaded by the main payload, BKDR_LIFTOH.DLF. One of the commands that this backdoor receives from its C&C server is to download and execute other malware. The command also consists of the URL where this backdoor will be downloaded. However, this time, the file is uploaded on Hotfile.
Moreover, this backdoor also has the capability to edit its configuration from its C&C server.
Figure 1. BKDR_LIFTOH.DLF configuration
In the screenshot above, the configuration consists of the C&C servers, connection timeout, max number of connection attempts, and malware build version. This shows that the malware can switch to different C&C servers to remain undetected. On the other hand, its buildid field is build1, which means that the malware is in its first version and we can possibly see other versions of this backdoor in the near future.
Aside from WORM_DORKBOT.SME, this backdoor also downloads another malware, which is detected as WORM_KUVAA.A. This worm searches for c_user and xs Facebook cookies on the infected system to bypass authentication for Facebook. It then checks for the following browsers or applications if running in memory:
- Internet Explorer
- Facebook Messenger
Figure 2. Utilizing Facebook features, c_user and xs cookies and fb_dtsg
The malware then utilizes the Anti-CSRF (Cross-site request forgery) token, fb_dtsg, to send spammed messages to the logged-in user’s friends. The spammed message contains the URL where its copy can be downloaded together with a suggestive picture written in 11 different languages depending on the system locale of the system.
Figure 3. Copy of the spammed message in Facebook
Figure 4. Messages written in different languages
While IM worms are not new anymore, they remain to be prevalent because cybercriminals and other bad guys are continuously refining these malware. Trend Micro protects users from these threats via its Smart Protection Network that detects these malicious files and blocks all-related URLs.
As an added precaution, you must always be on-guard when it comes to receiving files and links from contacts via IM applications. You’ll never know when the bad guys will strike next.
With additional analysis and screenshots from Threat response engineers Rhena Inocencio and Almond Rejuso
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.