14 DAY TRIAL // Security researchers warn that malware distributors are taking advantage of the buzz generated by the new Facebook profiles to push a backdoor as a so called Facebook toolbar.
The toolbar is advertised in fake, but well designed, emails purporting to come from Facebook and using the site’s email template.
The subject is “Hello dear friend!” and the contained message is signed by “The Facebook Team.” It reads:
“Hi dear Friend. Now you can download the Facebook toolbar. Now it will be easier than ever to share and connect with your friends. Thanks”
The message is accompanied by a big green button reading “Download Here,” which if clicked, leads to a website serving a file called fb.exe for download.
According to security researchers from Trend Micro, this file is actually a variant of the Zapchast IRC backdoor.
Zapchast is a hidden and modified installation of the otherwise legit mIRC Internet Relay Chat client. It uses maliciously crafted scripts which allow its creators to control infected computers remotely.
mIRC comes with its own powerful scripting engine that can be abused to perform a wide variety of actions on computers, including downloading and executing files.
Zapchast-infected computers behave like a botnet. They connect to a hardcoded IRC channel where they receive instructions from attackers.
In addition, some Zapchast variants come infected a virus called Parite.B. This is probably an unintended side effect resulting from the computer of its creator being affected by this malware in the first place.
“Recently, Facebook introduced some changes to the profile pages of its users, which were meant to make it ‘even easier for you to tell your story and learn about your friends,’ according to the official announcement,” says Cristina Buenviaje, anti-spam research engineer at Trend.
“It’s probably not a coincidence that soon after this announcement, we received fake e-mails allegedly coming from Facebook,” she adds.