A new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.
The worm is making the rounds now, and detection of the malicious file that’s being used to drop the malware on victims’ machines is quite low. Researchers at CSIS in Denmark analyzed the worm’s behavior and found that it appears to be using stolen Facebook credentials to log in to user accounts. It then sends out messages to the victim’s Facebook friends with a link that’s supposedly to a photo file.
However, the file that’s linked to is a screensaver that has a JPG extension. If a user opens the file, it will then install a series of malicious programs. CSIS says that the worm’s code was written in Visual Basic and uses a handful of techniques to make analysis in virtual machine environments difficult. After the user executes the malicious file, the infection routine kicks off.
“Whereupon the following file is attempted copied to the system: c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe,” a translation of the CSIS analysis says. “The worm carries a cocktail of malware onto your machine, including a Zbot / ZeuS variant which is a serious threat and stealing sensitive information from the infected machine.“
Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it somewhat easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specializes in stealing sensitive user data such as banking credendtials, from infected machines.
CSIS also said that the worm is spreading from some domains outside of Facebook, and that those compromised servers are being used to gather additional information about the infected machines and to stage the malware that’s subsequently downloaded onto victims’ machines.