Cybercriminals Making Sality Virus More Complex

Recently, security researchers at the security firm Symantec disclosed that, some months back the creators of the Sality P2P (peer-to-peer) botnet launched malware that not only gathered personal details and passwords and dispatched them to the command and control (C&C) servers, but also sent MySpace, Blogger, and Facebook login credentials into an encrypted file on the compromised PC.

This activity of the cybercrooks resulted in Symantec researchers think regarding the accurate intention these files would serve.

Their finest presumption was that these details or login credentials will be of benefit to few yet hidden malware pieces, and the assumption proved correct, when Sality - computer virus whose main motive of being is to download and launch further malware pieces - downloaded a novel malware piece that explored out that encrypted file and the credentials stored in it.

After the credentials have been identified, the malware gets in touch with a C&C center situated in Florida and demands for an "action script" that develops a noticeable illustration of Internet Explorer, and then directs it to facebook.com.

And immediately as it (Sality) reaches Facebook, the Trojan starts getting instructions to deploy a rogue application under compromised accounts. The application, namely "VIP Slots," just asks for access to fundamental account details.

As it doesn't have the required permission to post on the victim's wall, the application cannot be utilized for the objectives of spamming, but that could change in near future. Other instructions implemented by this part was opening google.com and looking for a predefined set of keywords. The aim for this is not instantly clear.

Commenting on the matter, Nicolas Falliere, Senior Software Engineer at Symantec stated that, this script could serve the objectives of experimentation. Further, it could also be a quite complicated means to assess the circulation of their creation, as per Google Trends report," as reported by Softpedia on April 14, 2011.

Nicolas further warned and stated that, presently, it seems script propagation has stopped. However, novel scripts could be circulated in the future because the C&C server has not been stopped yet and is still operating.

Conclusively, Symantec stated that, to avoid being prey to such scams, Facebook users can see which applications they are presently subscribed to by checking their Privacy settings and then visiting the Apps and Websites page.

Related article: Cheburgen.a: A New Email Worm

» SPAMfighter News - 4/22/2011