Malware targeting Facebook (June 18, 2010)


SonicWALL UTM Research team observed reports of a new Facebook malware being spammed via private messages through Facebook. The message pretends to contain link to a photo album but eventually leads to download of the malware.

Thousands of users were reportedly affected by this malware. Messages sent by the malware from the infected machine looks like:

  • “You? I find it on google. http://www.onli(REMOVED)”
  • “That yours? I find it on google. http://www.onli(REMOVED)”

If the recipient user clicks the link, it leads them to a malicious site that looks like:


Malware gets downloaded when user clicks on the photo album:


If the user attempts to open the downloaded executable it will perform following activities:

  • It displays a dialog box showing a fake message of filetype not supported by OS:


  • It drops three malicious executable files and executes them:
    • (TEMP)1.exe
    • (TEMP)2.exe
    • (TEMP)3.exe

Process 1.exe

This process scans for any open Internet Explorer or Firefox instances and terminates them to ensure that code injected by process 3.exe gets executed during next browsing session.

Process 2.exe

This process performs following file and registry modifications:

  • Drops a copy of itself at (Application Data)dfw.exe [Detected as GAV: Kbot.ANJ (Trojan)]
  • Adds registry entry HKLMSOFTWAREMicrosoftWindowsCurrentVersionRundfw.exe: “”(Application Data)dfw.exe”” to ensure that it runs on system restart.
  • Memory dump showing the strings related to Facebook during this process run:
  • screenshot

Process 3.exe

  • Scans for security related processes like Kaspersky, F-Secure, Comodo and terminates them when found.
  • Attempts to disable System Restore functionality.
  • Drops a malicious DLL at (Application Data)Windows Serverckiobo.dll [Detected as GAV: Small.ACMO (Trojan)]
  • Adds registry entries
    • HKLMSYSTEMControlSet001ControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”
    • HKLMSYSTEMCurrentControlSetControlSession ManagerAppCertDllsAppSecDll: “(Application Data)Windows Serverckiobo.dll”
  • Injects malicious DLL code into the memory which gets executed when user attempts to connect to Facebook via IE or Firefox.
  • Deletes itself.

Following HTTP requests were initiated by the malware once the user logs onto Facebook on an infected machine:

  • GET /message.php?subid=284&version=_nn2&id=(REMOVED)XAOBd00TglD6O HTTP/1.1 Host:
  • GET /ab/setup.php?act=filters&id=(REMOVED)Qf7E4s2t&ver=2 HTTP/1.1 Host:
  • POST /ab/setup.php?act=data HTTP/1.1 Host:

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Kbot.ANJ (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.