14 DAY TRIAL // Security researchers warn about a trojan spreading through Facebook and having an unusually sophisticated payload which involves replacing the legit antivirus programs used by its victims.
A lot of effort has been put by its creators into the trojan's propagation routine which uses advanced social engineering, in some respects resembling the Koobface worm.
The malware hijacks the Facebook sessions of its victims and sends messages to their friends via the website's chat function.
The messages claim those users are shown in a video that has been posted online. Curious users who click on the link are taken to a spoofed YouTube page with a video that contains their names in the title and fake comments from their own Facebook friends.
The trojan abuses the ability to see a friend's friends on Facebook and uses their names to make the whole scam more credible. The comments are both encouraging and expressing disappointment in order to peak the target's curiosity.
However, the page informs the user that they need to download and install a Flash Player update in order to see the video. This is an old trick used to deliver malware.
Once installed on the computer, the trojan blocks notifications from the firewall, Windows update or the legit antivirus and displays a pop-up asking the user to reboot the system.
The interesting part is that it can detect and mimic a dozen popular antivirus programs, down to the language used in their interface. The real programs are scheduled for uninstallation.
The trojan uses the bcdedit.exe utility to force the computer into Safe Mode upon reboot, where the uninstallation of the legit antivirus starts. Unlike most malware, this malware configures itself to run in Safe Mode so it is always in control of the machine.
After the legit antivirus program is uninstalled, the computer is rebooted again and a fake antivirus mimicking the real one is executed. This is meant to trick users into believing that they are still protected, while the trojan freely downloads and installs more malware in the background.
"The computer is used by the cyber-crooks for a wide range of purposes that are constantly expanded through the use of malicious plug-ins. All these happen while you think that you’re completely safe and that nothing can happen to you," security researchers from BitDefender who identified this malware, warn.