A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.
This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:
The function names are self-explanatory. The script, when executed, performs the following actions:
Another script was also distributed. The actions taken by this generic script were the following:
As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.
Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.
This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:
The function names are self-explanatory. The script, when executed, performs the following actions:
- Create a visible instance of Internet Explorer.
- Navigate to facebook.com.
- Log in.
- Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
- Grant access to this application.
- Close the browser instance.
Another script was also distributed. The actions taken by this generic script were the following:
- Create an invisible instance of Internet Explorer.
- Go to google.com.
- Search for “auto insurance bids”.
- Close the browser instance.
As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.
Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.
0 komentar:
Posting Komentar