Compared to some other Eastern European countries, Croatia is not very well known for being a land of malware writers so I was very surprised when I found out that there is a malicious Facebook application targeting Croatian users
As this is an attack on my home ground I spent some time to analyse its components and find out more about the attacker’s skills.
The rogue Facebook app invites users to install a new “Love” Facebook button and uses a malicious Java applet to install a password stealing Trojan. The Trojan is designed to steal Facebook credentials and other passwords from various sources on the system, including Internet Explorer, Firefox and Google Chrome.
The attack reminded me of a recent “Dislike” button attack but it is clearly the work of a different attacker. The Facebook application is actually a simple web page hosted on one of the free web hosting providers.
The applet is not signed so it needs the user permission to be able to access the local file system. The standard Java warning screen is the first indicator that the Love button may induce more negative than positive feelings for the users that will install the applet.
It did not take a lot of skill to decompile the Java code and realize that applet attempts to download and run two additional Windows PE files. One from the same free web hosting provider and the another one from a location which was not accessible when I analysed the attack.
The reason for not being able to access the malicious file is that the user has exceeded the bandwidth limit, which means that either the limit was very low or that many Croatian users have fallen victim of the attack.
Sophos users will be pleased that the Java applet was detected proactively by Sophos as Mal/JavaFKS-B before the attack was seen in the wild.
The other application, downloaded by the applet, is a password stealing Trojan dropper most probably created with a Trojan generator program Facebook Hacker.
The Trojan generator allows the attacker to generate new Trojan variants with no programming skills required. The only other requirement is a dedicated email account which will be used to receive passwords sent from infected systems. In this case the attacker chose to add a layer of a commercial software protection code, to evade the anti-virus detection.
Variants of the Facebook Hacker Trojan have been detected by Sophos since July 2010 as Mal/PWS-BA.
A Trojan generated by Facebook Hacker contains several components designed to steal user credentials including the ones stored by Internet Explorer, Firefox, Google Chrome and various instant messaging applications.
The Trojan’s components are actually freeware applications developed by Nirsoft and they are not made with a malicious intent. However, as with other system utilities, they can be used in a malicious attack.
Overall, this attack is not very significant, when compared to the latest and most sophisticated attacks. It is clearly not a work of an organised and skilled malware writer or a cybercriminal group as we are used seeing in the last few years.
It is nevertheless interesting because it shows that even an unskilled attacker can create a multicomponent attack on social networking applications in areas where user awareness is not as well developed.
I just hope that the Croatian script kiddie will find a more useful hobby in the future.
If you’re a keen Facebook user, you should join our buzzing community on the Sophos Facebook page.