Update from Facebook:
- The Facebook security team been actively tracking this botnet and providing McAfee AV to the victims (via Scan and Repair)
- The sample covered is out of date, and the malware now works differently
- Any users infected with this malware should be pointed to the McAfee self-checkpoint on.fb.me/InfectedMcA
Malware authors are fond of using social networking sites to spread their well crafted malwares. We have recently discovered a botnet malware that receives commands from a remote attacker and spreads through different messengers to reach a victim’s machine.
These bots mostly come with the filename Picturexx.JPG_www.facebook.com.
This malware is designed to post a download URL in chat windows of different messengers including ICQ, Skype, GTalk, Pidgin, MSN, YIM, and Facebook’s web chat.
The victim sees a chat window from an unknown contact with a link promising some interesting video. This is a typical trick used by malware authors. When the user clicks the link, malware gets downloaded to the machine, and infects it.
The chat window that appears to victims looks very real.
Once the malware has successfully executed on the victim’s machine, it bypasses the firewall in two ways:
- Directly with netsh, by using the command line “netsh firewall allowed program”
- By modifying the firewall policy, making a registry modification to add an allowed program, the malware
A sample copy is dropped into the Windows folder and flagged with system, hidden, and read-only attributes.
The malware chooses any of the following paths to drop a copy:
A run entry is made to ensure that the sample is reloaded when the machine reboots.
The malware does a series of checks for antimalware scanners, Windows updates, and even Yahoo updates and then disables them:
Once a service is selected, the malware runs a routine to disable it. The malware also changes the Internet Explorer start page, and modifies the preference file of Chrome and Firefox.
This bot receives commands from a remote attacker. The sample copy dropped in the Windows folder is mdm.exe. We can see the commands sent by the remote attacker and what they mean below:
The malware enumerates chat windows in the victim’s machine and posts its lure, the message that promises an interesting video. The operation works like any other spam in a chat window: The malware finds Skype’s or another window and posts the message using PostMessageA.
We can see below how a request is sent for a chat request on Facebook’s chat window with POST /ajax/chat/buddy_list.php:
This worm spreads through Facebook with the help of the ajax command and appears in the chat window, making the user believe that the message came from one of the victim’s contacts.
Fortunately, removing this worm from the victim’s machine is relatively easy. We kill the running instances of this process using Process Explorer or Task Manager. The start-up entry made by the malware must be cleared as well to avoid its reloading after rebooting.
McAfee’s Scan and Repair tool will remove this malware by check-pointing the victim. We advise customers to keep their antimalware software updated and to not click unknown links.