Related Links

Related Stories

  • Facebook starts to roll out Graph Search in a limited beta
    The world waited for Mark Zuckerberg’s Tuesday announcement. Many expected a Facebook smartphone, or per-message charging or any number of alternatives. What the world got was Graph Search.
  • LinkedIn, Facebook spam spreads trojans
    A LinkedIn and Facebook-related spam campaign is celebrating the New Year in a way guaranteed to take all of the festivity out of the air: by spreading malware and stealing personal data from the social networks' members.
  • Facebook opens up Hacker Cup registration
    Facebook has opened up registration once again for its annual worldwide programming competition, where hackers compete against each other for “fame, fortune, glory and a shot at the coveted Hacker Cup.”
  • Security Flaws with Snapchat and Poke Exposed
    Considered and sometimes touted as ‘safe for sexting’, both Snapchat (smartphone app) and its more recent clone Poke (Facebook app) may not be as safe as their users would like to believe.
  • Facebook, FBI team up to crack botnet ring
    The US Department of Justice and the FBI, along with international law enforcement partners, have arrested 10 individuals suspected of operating an international cybercrime ring that has compromised 11 million computer systems and caused more than $850 million in losses via the Butterfly Botnet. And it had help from an interesting source: Facebook.

Top 5 Stories


Anatomy of a botnet targeting Facebook users

29 January 2013

PokerAgent, a trojan botnet that infected about 800 computers, mainly in Israel, and stole around 16,000 Facebook credentials during 2011/2012 is analyzed in depth.

Although the trojan now appears to be inactive, the analysis provided by ESET is an education into the threats inherent in social networking. ESET first noticed and detected the malware in 2011, and tracked its progress throughout 2012. Most detections occurred in December 2011 and January 2012. Between September 2011 and March 2012, ESET detected 36 different versions and were able to monitor the development of the malware by the author.

The trojan is written in C#, making it easy to decompile to access the source code. It has two primary functions: to locate Facebook users with credit cards linked to their account, and Zynga Poker players; and to expand its database of Facebook credentials. The trojan itself does not directly interfere with the victim’s own Facebook account. It just uses its host computer to seek information on other Facebook users. “The botnet serves rather as a proxy,” reports ESET, “so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer;” that is, the botnet’s C&C server.

From the existing database of stolen credentials, the trojan logs into a known Facebook account, and browses to ‘’. It then looks for the string ‘You have <strong>X</strong> payment methods saved’, and sends the relevant information back to the C&C server. In this way, the credentials database becomes one of potentially valuable Facebook targets.

The basic credentials database is expanded by a ’ShouldPush’ function in the trojan. If the Facebook user is found to have card details associated with the account and/or is a Zynga Poker player, then a link is pushed to the user’s wall. The link, needless to say, points to a separate site that attempts to phish additional Facebook credentials. The assumption can only be that the trojan author assumes that a user worth targeting will have friends worth targeting; but it simultaneously makes the credential compromise more likely to be noticed.

“Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement,” says ESET. “The details of the investigation cannot be disclosed for reasons of confidentiality.” Whether because of this action or despite it, PokerAgent now seems to be largely inactive. “We can only speculate how the attacker further abuses these harvested data,” concludes ESET. “The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×