Social media platforms and popular instant messaging (IM) apps are great mediums for cybercriminals to spread their malicious elements. Trend Micro experts provide a great example of a worm that’s making its way to computers using such methods.
The researchers report that the piece of malware, identified as Worm_Steckct.evl, is distributed via a link that’s sent in private messages on Facebook and IM programs.
The shortened links contained in the posts point to an archive called “May09- Picture18.JPG_ www.facebook.com.zip” which hides a file named “May09-Picture18.JPG _www.facebook.com.” The .com extension reveals that in fact this is an executable file.
Once it’s run, the worm steps into play and terminates all the processes and services created by security software, thus ensuring that antivirus applications cannot disrupt its evildoings.
Steckct.evl then downloads another worm, detected as Worm_Eboom.ac, which monitors the victim’s browsing sessions.
The worrying part is that it doesn’t only log the posts and private messages the customer creates or deletes on Facebook, MySpace, Twitter, WordPress, or Meebo, but it can also spread by utilizing the user’s active session on these sites.
“Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites,” Cris Pantanilla, Threat Response Engineer at Trend Micro writes.
As the expert highlights and as we’ve highlighted numerous times before, internauts must be wary of links that point to shady-looking websites or suspicious files.
In this particular case, it’s clear that the alleged picture taken on “May09” is not a JPG file, but an executable that’s not even so cleverly masked.