Facebook, financial firms targeted by online maurauders

Online lowlifes were busy last week spreading infections online, targeting Facebook and several financial institutions, according to malware fighters.

Facebook squashes Dorkbot

Facebook members were targeted by a pernicious program called Dorkbot. The program is primarily spread through Facebook chat, but it can also propagate thorough USB devices, noted Bianca Stanescu of Bitdefender.

facebook logo

Dorkbot pretends to be a picture file but is actually a program that installs malicious code on a machine when someone tries to open the file.

Online information locker MediaFire discovered the poisonous files on its servers and has taken steps to trash them, including wiping files with double extensions, such as .jpg.exe, .png.exe, and .bmp.exe.

Dorkbot contains a typical bag of malware tricks. It will steal sensitive information from an infected machine and can block updates of antivirus software to protect itself from discovery.

PushDo returns

Researchers also reported last week that an old botware family is being taught some new tricks. Botware is used to set up a network of infected machines that can be used for a variety of nefarious tasks.

PushDo is an hoary botware family and, according to Damballa Senior Researcher Jeremy Demar, it's being modified to use Domain Generation Algorithms as a fallback mechanism when its command and control servers are disrupted.

botnet

The technique allows a botnet running the software to create more than a thousand bogus and unique domain names a day, and to connect to them if its command and control server is knocked out by bot fighters.

This latest wrinkle in PushDo illustrates once again the resiliency of its authors. The botnet has been shut down four times in the last five years, only to rise again from the dead, like the zombie machines in its network.

PushDo has some other tricks up its sleeve, Demar wrote.

"The malware will generate fake traffic to legitimate web sites in an attempt to mask its C&C communications, with 200 domain names to contact," he noted. "The C&C servers will also respond with a jpeg image with encrypted, embedded malware payloads to hide any additional files it wants to download."

Bank of America, Citibank, and Dun & Bradsteet headlined some scams targeted at businesses last week.

Financial institutions targeted

Solera Networks waved a red flag over a spam campaign masquerading as a "merchant statement" from banks. The digital detritus contains a word-processing file—a .doc or .rtf—and if opened, exploits a vulnerability patched by Microsoft a year ago to install a password stealer on an infected machine.

The Dun & Bradstreet scam is a variation of the old  Better Business Bureau swindle. In this case, a target receives an official-looking email from D&B claiming a complaint has been lodged against them.

The target can see the complaint by clicking on an attachment to the email. Doing so, of course, installs a Trojan on their machine which will steal personal information from the device, according to Barracuda Networks.

Subscribe to the Security Watch Newsletter

Comments