In a blog poston MalwareCity yesterday, my colleagues told you about Anonymous' intention to release a “highly sophisticated”piece of malware via Facebook. While scrutinizing the popular social network, the Bitdefender free tool designed to protect your on-line social life, Safego, encountered something that fits the description provided by the hacking group quite well.
Currently detected by the Bitdefender antimalware solutions as Backdoor-Bifrose-AAJX, this piece of malicious code was initially spotted in the wild around July 8, which corresponds to the date mentioned in the Anonymous video released yesterday. The same day, it appeared on Facebook under the guise of a scam purporting to offer a “New Facebook Video Chat with Voice Features”, according to its description (which, by the way, is in Arabic), if the unwary user follows a link and downloads an archive named scan_facebook.zip.
Once it compromises a system, Backdoor-Bifrose-AAJXdoes pretty much what the hacktivists say, which is: injects itself in IE process, provides a remote attacker unhindered access to the compromised system, records keystrokes and kills several processes of known antimalware solutions, if installed on the computer. However, it doesn't have the self-replication component Anonymous said it should have. It does connect to a remote server in Egypt instead, which is something the video “forgot”to mention.
So, could this be the newly-born malware superstar called Fawkes Virus? From our experience in detecting, studying and protecting against social threats, a Facebook worm that is well written and backed up by a clever social engineering strategy should be spreading pretty rapidly. Subsequently, it should affect a lot of users lacking protection, whether this protection covers their computers in general or their social networking accounts in particular.
So far, although this threat resembles pretty well what Anonymous purports to be their ultimate weapon in the battle against other groups or individuals undermining their interests, it maintains quite a low profile. Is Anonymous trying to hoodwink us? Does such malware actually exist? If it does, did Anonymous actually release it or are they just trying to evaluate users' reaction to such a threat?
Together with my colleague from Antimalware team, Razvan Benchea, who helped me with the analysis and to whom I thank for his quick response, we’ll keep a close eye on this malware breed and let you know as soon as something out of the ordinary shows up. Meanwhile, just to be sure that your Facebook accounts are safe and secure, we strongly suggest you take a quick look at our Facebook Security Whitepaperand install our free security solution for social networking, Bitdefender Safego.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.