Anatomy of a botnet targeting Facebook users

Although the trojan now appears to be inactive, the analysis provided by ESET is an education into the threats inherent in social networking. ESET first noticed and detected the malware in 2011, and tracked its progress throughout 2012. Most detections occurred in December 2011 and January 2012. Between September 2011 and March 2012, ESET detected 36 different versions and were able to monitor the development of the malware by the author.

The trojan is written in C#, making it easy to decompile to access the source code. It has two primary functions: to locate Facebook users with credit cards linked to their account, and Zynga Poker players; and to expand its database of Facebook credentials. The trojan itself does not directly interfere with the victim’s own Facebook account. It just uses its host computer to seek information on other Facebook users. “The botnet serves rather as a proxy,” reports ESET, “so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer;” that is, the botnet’s C&C server.

From the existing database of stolen credentials, the trojan logs into a known Facebook account, and browses to ‘’. It then looks for the string ‘You have <strong>X</strong> payment methods saved’, and sends the relevant information back to the C&C server. In this way, the credentials database becomes one of potentially valuable Facebook targets.

The basic credentials database is expanded by a ’ShouldPush’ function in the trojan. If the Facebook user is found to have card details associated with the account and/or is a Zynga Poker player, then a link is pushed to the user’s wall. The link, needless to say, points to a separate site that attempts to phish additional Facebook credentials. The assumption can only be that the trojan author assumes that a user worth targeting will have friends worth targeting; but it simultaneously makes the credential compromise more likely to be noticed.

“Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement,” says ESET. “The details of the investigation cannot be disclosed for reasons of confidentiality.” Whether because of this action or despite it, PokerAgent now seems to be largely inactive. “We can only speculate how the attacker further abuses these harvested data,” concludes ESET. “The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.”

What’s Hot on Infosecurity Magazine?