View Full Version : Backdoor Distributed as Facebook Messenger Application

19-04-2011, 12:21 PM
http://img.photobucket.com/albums/v708/starbuck50/facebook-1.jpg New rogue emails posing as official Facebook communications lead users to a website distributing a backdoor as an application called Facebook Messenger.

The emails bear a subject of "[user] listed you as his uncle" and make use of the real template corresponding to real Facebook notifications.

The body message informs recipients of several pending actions, including a friendship request and includes a www.facebook.com link that actually points to a third-party website.

The rogue page advertises a program called Facebook Messenger, which according to its description, is supposed to be an "app for quick access to messages from your Facebook account."

The screenshots presented on the page are taken from an Android phone, but the file served for download is an executable called FacebookMessengerSetup.exe, not an .apk Android package.

According to researchers from Trend Micro, the file is an installer for BKDR_QUEJOB.EVL, a backdoor that opens a connection on TCP Port 1098 and listens for commands.

The backdoor allows attackers to update the malicious file, download and run other malware applications, and launch certain processes. Information about the infected system, such as installed antivirus products and OS version, is gathered and sent to an SMTP server.

"It has been said in several instances that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages," notes Trend Micro fraud analyst Paul Pajares.

"It is this convenience that was leveraged by cybercriminals in a recent spam run we’ve seen, offering users to download an application called Facebook Messenger to make it easier for them to access messages sent to their Facebook account," he explains.

Facebook's popularity is commonly exploited via rogue emails that masquerade as official communications from the company.

We've seen fake password change and unread messages notifications spreading malware on a constant basis. This suggests that such lures are successful and users are not educated enough to avoid them.