IM Trojan Woos Victims with Bible Verses and Good Manners

A newly discovered IM trojan uses polite social engineering and biblical verses to hide its malware payload
A newly discovered IM trojan uses polite social engineering and biblical verses to hide its malware payload

A new trojan is making the rounds via IM, and, unlike some of its grammatically challenged kin, it’s long on the social graces.

Using polite social engineering and biblical verses, Gen:Variant.Downloader.167 hides a malware payload. Anti-virus software provider Bitdefender spotted an increasing wave of infections in the past week in a range of countries, including the US, UK, Germany, Canada, France, Denmark, Japan and Romania.

After gaining access to users’ contact lists, it distributes itself through Facebook’s instant messaging function and Yahoo Messenger, from one friend to another. Users receive a polite question, seemingly from a Facebook or Yahoo messaging friend: “I want to post these pictures on Facebook, do you think it’s OK?” It also adds a range of Bible verses to signal its good intentions. To add legitimacy, the URLs following the question belong to storage services Dropbox and Fileswap, frequently used for sharing pictures and files.

“Besides being wonderfully polite, the Trojan also hides some of its encrypted data between biblical verses,” explained Bitdefender researcher Bianca Stanescu, in a blog. “The data is eventually decrypted with numbers generated by a mathematical processor.”

Once the malware is executed on the machine, attackers easily coordinate bots from a command-and-control server, Stanescu said. Besides stealing usernames and passwords, botmasters may also order other malware downloads.

But the unsuspecting soon are given a clue that all is not right. The trojan shows a message box in the installing process: “This application is not compatible with the version of Windows you’re running. Check your computer’s system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”

This type of gambit is not unfamiliar – every once in a while hackers do manage to get the tone right in messages to avoid setting off alarm bells.

“In May 2013, a similar piece of malware infected thousands of Facebook users worldwide,” Stanescu noted. “The Dorkbot malware posed as a .jpg image but was actually an executable file, capable of spying browser activities and grab personal data. Another scam promised naked videos of Facebook friends but dropped a trojan instead.”

As always, users should be hyper-wary of any download offered on an unsolicited basis, even when it seems to come from trusted sources. Always verify directly with the friend that the message is legitimate.

What’s Hot on Infosecurity Magazine?