the facebook pokeragent robert lipovsky lipovsky@eset.sk

The Facebook PokerAgent

Robert Lipovskylipovsky@eset.sk

O čom si povieme...

• OnlineGames trojany• „Pokec Sniffer“• Ransomware• Android malware• Šedá zóna

Facebook

• 1.11 Billion active users (March 2013)

• Malware use:• Distribution vector• Motive

Win32/Delf.QCZ

• July 2011• Spread through Facebook & Vkontakte – improved social engineering• Removed AV in safe-mode• Backdoor, downloader

• Bitcoin mining, DDoS, malware distribution

Like-jacking through Malicious Browser Plug-ins

PokerAgent: Introduction

• Interesting binary:• Facebook• Zynga Poker• “PokerAgent”

• MSIL/Agent.NKY

• Active: Q4/2011 - Q1/2012• Most widespread: Israel

PokerAgent: Overview

• Botnet: bots performed tasks• Extensive db of stolen Facebook

credentials

• Zynga Poker Stats• Linked Credit Card information• FB account phishing

• Trojan (probably) distributed through Facebook

PokerAgent: Details

• Zynga Poker stats

http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1

PokerAgent: Details

• Credit card info

https://secure.facebook.com/settings?tab=payments&section=methods

You have <strong>X</strong> payment methods saved.

PokerAgent: Details

• Phishing• Tasks contained phishing URLs

PokerAgent: Additional details

PokerAgent: Modus Operandi

• Attacker’s motives:

• Harvest Facebook log on credentials• Check Facebook accounts for Poker stats and Credit Card

info

PokerAgent: Investigation

• Active botnet monitoring

• 800+ infected bots• 16 194+ Facebook access credentials in database

• Cooperation with:• Israeli CERT• Israeli law enforcement• Facebook

Thank you…

samples@eset.sklipovsky@eset.sk

WeLiveSecurity.comVirusRadar.com