Tekblog » backdoor.bot http://tekblog.teksquisite.com Tackling Technology One Byte At A Time! Thu, 09 Sep 2010 13:48:43 +0000 en hourly 1 http://wordpress.org/?v=abc FacebookAgent is a Trojan Dropper http://tekblog.teksquisite.com/2009/12/03/facebookagent-is-a-backdoor-bot-trojan-dropper/ http://tekblog.teksquisite.com/2009/12/03/facebookagent-is-a-backdoor-bot-trojan-dropper/#comments Fri, 04 Dec 2009 02:15:59 +0000 Teksquisite http://www.teksquisite.com/blog/?p=1841

There has been chattering the past few days about unknown rogue software available for download on the Internet that lets you view private Facebook profiles. I can assure you that this new software called FacebookAgent is old news wagging a new wrapper. This is not just another scam! This rogue application also has a back door along with Trojans droppers put together by cyber-criminals to elicit financial information via social engineering techniques. Prior to examining FacebookAgent on a VM earlier today I ran Malwarebytes and had a clean scan with no infected files. After installation of Facebook Agent and testing in a VM I ran Malwarebytes again and had 159 infected files! (the results will be posted at the end of this article.) Domain: www.facebookagent[DOT]com Current IP: 74.208.137.211 131 1&1 Internet Inc PA

Shot6

Facebookagent.com website provides this Disclamer:

“Facebook Agent is an automated help manual that guides you through the process of gaining a legal view of the desired profile. This process is completely legal and is achieved through the other party’s aproval and acknowledgement. This software and/or methods should not be used in any other case that is not mentioned above. All facebook trademarks are copyrighted to facebook.com. All actions taken through and in this application are on full responsibility of the user. Facebook Agent is in no condition responsible of any harm, damage or violations done while using this application. If at any stage of the process any party will find violation of law against them, the process should immidiately be terminated and reported to the administration team of the application. By clicking the Start button you agree to take full responsibility of the actions done by this application. All rights are copyrighted to facebook Agent 2009 – 2010. All trademarks found in this application belong to facebook Agent apart from facebook trademarks which are copyrighted to facebook.com. By clicking on the Start button you accept this terms and conditions.”

Most of the links at the FacebookAgent website result in saving or downloading setup.msi. The msi installer loads Facebook Agent.exe and a database file in the Program Files directory. The installer also loads Perflib_Perfdata640.dat into the local user profile temp directory and runs the database file under svchost.

programfiles

files

When you first run Facebook Agent there is no exit from the program. Bad code and even worse downloads and toxic URLs await you. Since I did not choose to install the IWON toolbar featuring the MyWebSearch default search provider I had to participate in the Green Card Scam that is listed below.

step-1-free-prize

According to the flimsy interface above you have to click to claim what you have won! Your prize is located at: hXXp://html.usagc[DOT]org/step1landing_eng[DOT]html?afk=ranygnewcplcmp0309eng. Then you have to fill out a form that includes your full name, email address, country of birth, marital status, and telephone number. You also have to answer this dropdown menu question:

highschool

After I filled out the online form with false information, I received this response:

sue-dogears

Canada, Mexico, and the United States are ineligible. On the same page I was also given the option to select another country if I were a native of a qualifying country or if my parents were born in a qualifying country. I opted for Australia and was quickly promoted to step 2 in the process!

prizeprize2

I had a good smirk over the warning “using a stolen or fraud credit card number will automatically disqualify you from participating forever!! USAGC will immediately cancel your application and pursue legal remedies.”

USAGC is a scam! Don’t fall victim to this Green Card lottery scam! The DV-2011 Diversity Visa Lottery( run by The U.S. Department of State) online entry registration period ended on November 30, 2009

I was soon bored with the Green card lottery scam so proceeded to install the IWON Toolbar and failed. iwon

After finishing the installation of IWON, I had to go to iwon.com to register for a free account. Overall, you can only get to step 1 in Facebook Agent because you can’t get to step 2 without filling out credit card information.

Finally I ran Malwarebytes again to see what nasties Facebook Agent had installed.

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 142
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 20
Files Infected: 86
Memory Processes Infected:
C:\Documents and Settings\test\Application Data\Microsoft\Network\svchost.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Unloaded process successfully.
Memory Modules Infected:
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.
Files Infected:
C:\Documents and Settings\test\Application Data\Microsoft\Network\wuauclt.exe (Backdoor.Bot) -> Delete on reboot.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft network service (Trojan.Dropper) -> Delete on reboot.
You can view the full Malwarebytes log here.
I did not have much time to pursue this today but have high hopes that other security experts will jump in and take a look at this backdoor!
Until next time — Stay safe online!
]]> http://tekblog.teksquisite.com/2009/12/03/facebookagent-is-a-backdoor-bot-trojan-dropper/feed/ 1 Private