Aggressive Botnet Spreads Via Facebook Chat, Skype and other Popular IM Services

Security researchers have overturned an aggressive Botnet threat that is spreading through a multitude of instant messaging services, such as Skype, Facebook Chat, Google Talk, Yahoo Messenger ICQ and Windows Live Messenger.

It is nothing new to find where a malware infection utilizes an instant messaging platform to spread. What is new, is the idea of a botnet threat spreading through virtually all popular instant messenger services with the capability to turn vulnerable PCs into zombies awaiting instructions from a remote attacker.

This new Botnet threat, typically having a file named something like Picturexx.JPG_www.facebook.com when spreading through Facebook Chat, is able to proliferate through an Ajax command making the instant message look as if it came from one of your Facebook friends. Have you ever seen advertisements that closely resemble a Facebook chat box, and you thought it was one of your Facebook friends messaging you? You can think of this botnet's aggressive techniques being a similar case. Facebook is the world's largest social network, with almost a billion users. Quickly identifying a bogus Facebook Chat message may be a difficult task for thousands to millions of Facebook users.

Example of a fake Facebook Chat message with a malicious link to download malware. Source: McAfee

Once the Botnet has crafted an instant message with a malicious link, the user's PC is then infected after the user clicks on the link. After infected, the computer may open up a connection to receive commands from a remote source. From there, the infected system sends out instant messages through pretty much any instant messenger service in an attempt to infect other computers.

The diagram below is a flow chart from McAfee on how the infection propagates and is able to bypass the Windows Firewall by using a specific 'netsh firewall allowed program' command line. Upon booting a Windows system with this particular infection, the infection will automatically load and copy itself to another folder to potentially evade detection.

Flow chart from McAfee on how the infection propagates

What is probably the most discerning aspect of this new aggressively spreading botnet, aside from spreading via all well-known instant messaging services, is the idea that it purposely disables software that could prevent it from performing its actions of spreading. Essentially, the infection will disable antivirus software, Yahoo updates and even the Windows Update. Additionally, it will change the home page for Google Chrome and Internet Explorer web browsers.

Computer users are urged to avoid clicking on links via instant messages. Unless you are 100% certain of an IM link, you should not trust it. Instant messaging has been a long-time means for hackers to spread malware, and they have only begun to ramp up their efforts to keep this method thriving.