2 min read

Trojan.FBClicker.A

Loredana BOTEZATU

February 16, 2011

Trojan.FBClicker.A

First Encounter

If you’re wondering where you may take the clicker bug from, Trojan.FBClicker.A can be found either on a social networking application that, in exchange of a “Like”, leads the user to a plethora of external websites rigged with malware.

Setting the scene

Once on the system, FBClicker obeys the “safety first directive” and checks if it runs in a virtual machine (VMWare) or if processes like Wireshark.exe or tcpview.exe are running. The idea behind this step is running as undetectable as possible since this clicker and the downloader accompanying it also send critical data gathered from the compromised system to its command and control center.

Furthermore, antivirus solutions such as MSASCui (Microsoft® Windows® Defender) and msmpeng (Microsoft Windows Defender antispyware) are also uninstalled, if found. This way, nothing will stand in the way of its malicious actions.

Getting the job done

Before going any further, FBClicker checks the presence of a couple of files called ranga, xanga, panga, deletes them all and the associated Registry keys if found; these files are actually older versions of the same malware.

In order to access the Internet whenever it wants, FBClicker adds exceptions to the Windows Firewall, creating thus an exploitable breach when the commands from the C&C center start pouring in.

Receiving the commands from the C&C center

FBClicker can change the browser’s homepage and redirect the browser to visit certain webpages, a common practice amongst adware applications. By changing the search engine and visiting webpages, the attacker can squeeze extra money from affiliate campaigns, pay-per click advertising and so on. It also receives from the C&C the interval it has to sleep between opening another web page via the default browser.

Other supported commands are:

–          REMOVE (which tells the clicker to flee the scene– an approach meant to shield the botmaster from cyber-crime forensics when things get out of control;

–          DOWNLOAD – useful especially when the Clicker would like to invite its malicious friends over to a fiesta on  the already infected computer;

–          UPDATE – used only when the botmasters rolls out a new version of the clickbot with extra features or better obfuscation;

–          Last, but not least, there is the MSN command, which automatically triggers once in 23 minutes and spreads various messages and links to all contacts in the MSN messenger, if present.

 

In order to minimize suspicion, FBClicker doesn’t start its job at once, but rather  waits for at least an hour before getting down to business. And for the story to be complete, this clicker and downloader has a worm component as well, which creates an autorun.inf file and a copy of itself on every USB stick that is plugged into the system.

This article is based on the technical information provided courtesy of Răzvan Benchea and Doina Cosovan, BitDefender Virus Analysts.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read