Malware Installs Rogue Apps on Compromised Facebook Accounts

A new piece of malware being distributed by Sality uses stolen Facebook credentials to surreptitiously install rogue apps under the corresponding profiles.

Sality is the world's top file infecting malware and dates back to 2003. The threat has evolved over the years and was fitted with P2P, self-propagation and malware distribution functionality.

According to security researchers from Symantec, at the beginning of this year, Sality operators pushed a malicious component through its P2P network that acted as a keylogger and recorded Facebook, Blogger and MySpace login credentials.

The trojan sent the stolen credentials to a command and control (C&C) server, but also stored them locally in an encrypted file to the surprise of security researchers.

That was until a new piece of malware recently distributed by Sality began making use of the login details in those encrypted files.

It donwloads Internet Explorer automation scripts from a C&C server and uses the stolen credentials to login on the corresponding websites and perform predefined actions.

As far as Facebook is concerned, the trojan received instructions to install a rogue application under hijacked accounts. The app, called "VIP Slots," only asked for access to basic account information.

Since it doesn't have permission to post on the victim's wall, the app cannot be used for spamming purposes, but that could change in the future.

Other instructions executed by this component involved opening google.com and searching for a predefined set of keywords. The purpose for this is not immediately clear.

"This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term," writes Symantec's Nicolas Falliere.

"As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running," he warns.