A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:

The function names are self-explanatory. The script, when executed, performs the following actions:

Create a visible instance of Internet Explorer.

instance of Internet Explorer. Navigate to facebook.com.

Log in.

Go to the Facebook app #119084674184 page: this application, named VIP Slots , has been around for a few years.

, has been around for a few years. Grant access to this application.

Close the browser instance.

The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:

Create an invisible instance of Internet Explorer.

instance of Internet Explorer. Go to google.com.

Search for “auto insurance bids”.

Close the browser instance.

This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.