Latest rogue Facebook app dissected by IT security expert

According to Svajcer, the latest rogue app on the social networking site specifically targets Croatian users.

Compared to some other Eastern European countries, he says, Croatia is not very well known for being a land of malware writers, which is what makes this particular app all the more surprising.

The rogue Facebook app, he explained, invites users to install a new `Love' Facebook button and uses a malicious Java applet to install a password stealing trojan.

"The Trojan is designed to steal Facebook credentials and other passwords from various sources on the system, including Internet Explorer, Firefox and Google Chrome", he said, adding that the attack reminded him a recent `Dislike' button attack but it is clearly the work of a different attacker.

The Facebook application, he says, is actually a simple web page hosted on one of the free web-hosting providers.

The handcrafted page, he goes on to say, contains a tag to load a Java applet to allegedly install the Love Facebook button, rather than the usual obfuscated Javascript code with a drive-by exploit.

"The applet is not signed so it needs the user permission to be able to access the local file system. The standard Java warning screen is the first indicator that the Love button may induce more negative than positive feelings for the users that will install the applet", he said in his security blog.

It did not, he says, take a lot of skill to decompile the Java code and realise that applet attempts to download and run two additional Windows PE files.

One of the files, he adds, is from the same free web hosting provider and another one from a location, which was not accessible, when I analysed the attack.

The reason, the Sophos principal virus researcher goes on to say, for not being able to access the malicious file is that the user has exceeded the bandwidth limit, which means that either the limit was very low or that many Croatian users have fallen victim of the attack.

"The other application, downloaded by the applet, is a password stealing Trojan dropper most probably created with a Trojan generator program Facebook Hacker", he said.

The trojan generator, claims Svajcer, allows the attacker to generate new trojan variants with no programming skills required.

The only other requirement, he notes, is a dedicated email account, which will be used to receive passwords, sent from infected systems - in this case the attacker chose to add a layer of a commercial software protection code, to evade the anti-virus detection.

And here's where it gets interesting, Infosecurity notes, as the Sophos principal virus researcher says that trojan generated by Facebook Hacker contains several components designed to steal user credentials including the ones stored by Internet Explorer, Firefox, Google Chrome and various instant messaging applications.

The Trojan's components, he says, are actually freeware applications developed by Nirsoft and they are not made with a malicious intent -however, as with other system utilities, they can be used in a malicious attack.

"Overall, this attack is not very significant, when compared to the latest and most sophisticated attacks. It is clearly not a work of an organised and skilled malware writer or a cybercriminal group as we are used seeing in the last few years", he said.

"It is nevertheless interesting because it shows that even an unskilled attacker can create a multicomponent attack on social networking applications in areas where user awareness is not as well developed", he added.

What’s Hot on Infosecurity Magazine?