Several months ago, when the operators of the Sality P2P botnet pushed out malware that not only collected usernames and passwords and sends them to the C&C servers but also dumped Facebook, Blogger and MySpace login credentials into an encrypted file on the infected computer, Symantec researchers speculated about the purpose these files would serve.
Their best guess was that these credentials will be of use to some yet unrevealed piece of malware, and the theory has proven to be correct over the weekend, when Sality – a virus whose primary reason of being is to download and execute other malware – downloaded a new piece of malware that fished out that file and the credentials in it.
Once the credentials are found, the malware contacts a C&C center located in Florida and requests an “action script” that creates a visible instance of Internet Explorer, takes it to facebook.com and logs in with the collected username and password.
Having taken over the account, it goes to a Facebook app named VIP Slots – operational for quite a few years – and grants access to it. In the end, to cover its tracks, the script closes down the browser.
According to the researchers, the VIP Slots application asks only for permission to access the user’s basic information, and it actually doesn’t seem to be malicious in itself. Nonetheless, they are wary of the various malicious possibilities that this action might bring about.
“The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits),” say the researchers. “The application could simply be an innocent party.”
But this is not the only script that was requested, and this other one would be tougher to spot since it creates an invisible instance of Internet Explorer. It uses it to go to google.com to search for “auto insurance bids”, and after the search the browser instance gets closed. The researchers believe this script is just an experiment that shows that the Sality operators are again thinking ahead.
On the other hand, the first script could come very handy to infected users. Since Sality has ability to disable security software and does it best to hide its presence on the affected machine, a simple peek into their Facebook Apps and Websites page in the Privacy Settings is enough to reveal whether the VIP Slots app is there.
If it is – and the user hasn’t authorized it himself – it could point to a Sality-infected machine.