2 min read

"Can I Post These Pictures on Facebook?" Polite IM Trojan Asks

Bianca STANESCU

May 28, 2014

"Can I Post These Pictures on Facebook?" Polite IM Trojan Asks

Over 1,300 systems got infected with the latest Instant Messaging Trojan, which uses polite social engineering and biblical verses to hide encrypted data, Bitdefender warns. The antivirus software provider spotted an increasing wave of infections in the past week in countries such as the US, the UK, Germany, Canada, France, Denmark, Japan and Romania.

After gaining access to users’ contact lists, Gen:Variant.Downloader.167 distributes itself through Facebook’s instant messaging and Yahoo Messenger from one friend to another. Besides being wonderfully polite, the Trojan also hides some of its encrypted data between biblical verses. The data is eventually decrypted with numbers generated by a mathematical processor.

ËœCan I Post These Pictures on Facebook?` Polite IM Trojan AsksIt all starts when users receive a polite question from a Facebook or YM friend whose system got infected with the malware. “I want to post these pictures on Facebook, do you think it’s OK?,” the malicious messages read. To add legitimacy, the URLs following the question belong to storage services Dropbox and Fileswap, frequently used for sharing pictures and files.

The malware is then executed on the machine, where it creates a folder with a random name and an “.exe” extension. It also shows a message box in the installing process.

ËœCan I Post These Pictures on Facebook?` Polite IM Trojan Asks“This application is not compatible with the version of Windows you’re running,” the message reads. “Check your computer’s system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”

The downloader can restart and update itself. Bitdefender blocked the malware, along with less than half of the security solutions listed on Virus Total.

In May 2013, a similar piece of malware infected thousands of Facebook users worldwide. The Dorkbot malware posed as a “jpg” image but was actually an executable file, capable of spying browser activities and grab personal data. Another scam promised naked videos of Facebook friends but dropped a Trojan instead.

Attackers easily coordinate bots from a control and command server. Besides stealing usernames and passwords, botmasters may also order other malware downloads.

This article is based on the technical information provided courtesy of Cosmin TARSICHI, Octavian MINEA and George CABAU, Bitdefender Malware Researchers.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read