May 16, 2013

Russian anti-virus company Doctor Web has discovered previously unknown features in the new malware for Facebook that has been widely discussed in the mediadoesn't simply change a user’s status, join groups and leave comments on the user's behalf, but it can also send spam on Twitter and Google Plus.

Trojan.Facebook.311 is a JavaScript plugin for Google Chrome and Mozilla Firefox. Attackers use social engineering methods to spread the Trojan; a special malicious program disguised as a security update for watching videos facilitates the Trojan's installation. It should be noted that the installer incorporates a digital signature belonging to Updates LTD which is owned by Comodo. The plugins' names are Chrome Service Pack and Mozilla Service Pack, respectively. To spread the Trojan, criminals created a web page in Portuguese, apparently for Facebook users from Brazil.

After the installation and as soon as the browser is launched, Trojan.Facebook.311 attempts to download a file containing instructions from a remote server. Next, the plugin waits for the user to authorize on Facebook. After that, the Trojan horse can perform actions on a user's behalf in accordance with instructions found in its configuration file. These include marking something with “like”, updating a status, leaving a message on a wall, joining a group, leaving a comment, and inviting a user on the friends list to join a group or sending that user a message. In addition, when commanded, the Trojan can download and install new versions of the plug-ins and send spam on Twitter and Google Plus.

Recently Trojan.Facebook.311 posted messages containing an image that mimics an embedded media player. Clicking on the image redirects the user to various bogus sites. Similarly, the Trojan sends personal messages and updates a user’s status to advertise rogue quizzes in which one supposedly can win a variety of prizes.

The threat's signature has been added to the virus databases, so it poses no threat to systems protected with Dr.Web anti-virus software. Despite the fact that criminals are targeting the citizens of Brazil, the scheme can be implemented for any target group. Doctor Web recommends that users exercise caution and refrain from downloading and installing suspicious applications or browser security updates.