​Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area. 

Every year we are spending a growing proportion of our time online using social media like Facebook, Twitter and YouTube. What does this mean for the malware ecosystem?

Malware authors and distributors know that social networks don’t just connect people, they also instill a form of implicit trust. You are more likely to trust a URL or a video that is shared with you by a friend or connection.

We are seeing more and more cases of malware stealing passwords, spreading, and posting malicious links through social media networks. Many malware authors target browsers (Internet Explorer, Chrome, Firefox or Safari) to easily intercept and manipulate data at the origin, to avoid dealing with secure protocol (such as HTTPS) once data leaves a user’s system.

One such piece of malware that I recently came across is detected as Trojan:AutoIt/Kilim.A (SHA1: b342873c3f779db0e00fd3c1eb2ded3f8bf948da). Kilim specifically targets the Google Chrome browser.

The trojan may be installed when an unsuspecting user clicks on a shortened hyperlink that redirects to a malicious website. The website masquerades itself as a download site for legitimate software, and tricks the user into downloading and executing Kilim.

Upon successful execution, Kilim disables User Account Controls (UAC) and adds an auto-start entry in the system registry to survive reboot. It then proceeds to download two malicious Chrome browser extensions. We detect the malicious scripts in the extensions as Trojan:JS/Kilim.A.

Kilim connects to a remote server to download configuration files that indicate the location of the malicious extensions:

  • www.<removed>/crx.txt
  • www.<removed>/crx.txt

It then closes Chrome and installs the two extensions using the following configuration files and registry entries that it creates:

  • %windir%\adobeflash\update.xml
  • %windir%\adobeflash2\update.xml

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “1”
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “2”
With Data: "%windir%\adobeflash2\update.xml"

Kilim also uses the following tricks to hide the installed extensions:

  1. If you click on the About menu in the Chrome browser, then select Settings, you will be taken to google.com instead of the settings page
  2. It you type “chrome://extensions/” it will redirect to “https://chrome.google.com/webstore”, instead of showing internal settings. This is to prevent you from seeing the installed extensions list page

This means you never get to see, or uninstall, the malicious extensions.

Once the malicious browser extensions are installed, Kilim can gain access to your social networking sites such as:

  • Facebook.com
  • Twitter.com
  • YouTube.com
  • Ask.fm
  • Vk.com

The next time you log in to those websites using Chrome, it may post messages, “like” pages in Facebook, follow profiles and send direct messages on Twitter, or comment on YouTube videos. It can continue to do this as long as the session cookie of the authenticated web site is active - in other words, until you log out.

Here's an example of a message that it posts as a direct message on Twitter in Turkish:

  • "Selam  bir site buldum günlük 250 takipçi veriyor. Sen de denemelisin:)"

This translates as:

  • "I found a site that gives a daily 250 followers. You should too:)"

The following screenshot shows the pages “liked” within minutes by a Facebook profile on an infected computer. All of these pages were liked by the malware, not by the logged-on user:

Figure 1: Pages “liked” by Trojan:AutoIt/Kilim.A

Figure 1: Pages “liked” by Trojan:AutoIt/Kilim.A.

The screenshot below shows unknown page followers that were automatically added by Kilim:

Figure 2: Facebook page followers added by Trojan:AutoIt/Kilim.A

 
Figure 2: Facebook page followers added by Trojan:AutoIt/Kilim.A.

Posts from the two unknown followers also appeared in the user’s newsfeed:

Figure 3: Newsfeed pasts added by Trojan:AutoIt/Kilim.A on an infected user’s Facebook page

Figure 3: Newsfeed posts added by Trojan:AutoIt/Kilim.A on an infected user’s Facebook page.

One might wonder, how does this benefit the malware author or distributor?

Kilim appears to be selling Twitter followers for a price. There is also a possibility that Kilim can extend its functionality to do more - perhaps stealing sensitive information such as passwords, or even spreading other malware for a price and getting paid per-click-through rates, similar to a pay-per-install model.

Kilim has the ability to extend and update itself whenever it connects back to the server, as it obtains JavaScript code and executes it in the context of the browser.

Even when you’ve removed Kilim, some remnants of the malicious extensions might remain. In Figure 4, the extension “Kalkiyormu?” is a leftover from a Kilim infection, as is “Flash Player 5”. Note that Chrome comes with built-in Flash support, so any extension using this name should be immediately suspicious.

The Trojan:JS/Kilim.A description has instructions on how to remove these browser extensions manually.

Figure 4: remnants of a Trojan:AutoIt/Kilim.A infection remain as browser extensions.

Figure 4: Remnants of a Trojan:AutoIt/Kilim.A infection remain as browser extensions.

Social media presents a quick and lucrative avenue to spread malware. Combine this with the growing online population and I predict we will see more of these social bots in the future.

As always, the best advice is to keep your security software up-to-date and use caution when clicking unknown links - even if they are shared in your trusted social network.

Karthik Selvaraj
MMPC