A fresh Facebook botnet baddie started making its rounds over the last couple of days, popping up in the inboxes of hundreds of users from a dozen different countries around the globe.
Dubbed “Downloader-167, the trojan uses Facebook and Yahoo Messenger to spread to as many different computers as it can by taking hold of a person’s account, and using their own friends list to hunt down as many unsuspecting victims as possible before the next time they try to log in and see their information has been compromised.
In order to trick users into clicking the all-important link that allows the program to automatically bloom and proliferate, the seemingly-innocent message asks them if it’s okay to post a set of pictures on their wall. Facebook doesn’t allow anyone to post tagged photos of you on your timeline unless you personally give permission beforehand, so for anyone who doesn’t look at those types of requests twice before clicking “confirm”, this is a great tactic to pull in as many patsies as possible before the person responsible catches on.
After the user’s account has been hijacked, the bot behind the attack automatically begins trawling their contact list, mass emailing anyone within networking distance with similar messages that can be used to infect another machine, and the process repeats from there et al.
Oddly enough, the malware is laden with biblical verses, something that hasn’t yet been seen by malware researchers from the security firm BitDefender.
“After gaining access to users’ contact lists, Gen:Variant.Downloader.167 distributes itself through Facebook’s instant messaging and Yahoo Messenger from one friend to another,” explained Catalin Cosoi, chief security strategist at Bitdefender. “Besides being wonderfully polite, the Trojan also uses biblical verses as decryption keys for its data.”
This type of infection is nothing new, with Myspace becoming one of the first victims to the tactic way back in late-2006. And Facebook isn’t the only problematic platform either, with several users of the Yahoo messaging service reporting their own encounters with Downloader-167 to news outlets who have been covering the story as it continues to develop.
Though the true intentions of the malware have yet to be revealed, it’s likely the botnet is spreading to collect data in order to give the attackers behind it a viable roadmap on where they can hit once they finally decide to unleash the viruses and spyware that so often come hand in hand with these types of campaigns.
“The final aim of the Trojan is probably to make money from reselling sensitive data,” BitDefender explains. “After it’s executed on the machine, the Trojan searches for a command and control centre, which may order it to download further malware and eventually send confidential data such as passwords, usernames and banking credentials directly to the attackers.”
So far the accounts affected by the virus seem to be contained within Denmark, Canada, the UK, Germany, France, and the US, however with many viruses of this kind, it still has the potential to spread much further if a fix isn’t applied by Facebook soon.