the facebook pokeragent robert lipovsky lipovsky@eset.sk
Post on 28-Mar-2015
218 Views
Preview:
TRANSCRIPT
The Facebook PokerAgent
Robert Lipovskylipovsky@eset.sk
O čom si povieme...
• OnlineGames trojany• „Pokec Sniffer“• Ransomware• Android malware• Šedá zóna
• 1.11 Billion active users (March 2013)
• Malware use:• Distribution vector• Motive
Win32/Delf.QCZ
• July 2011• Spread through Facebook & Vkontakte – improved social engineering• Removed AV in safe-mode• Backdoor, downloader
• Bitcoin mining, DDoS, malware distribution
Like-jacking through Malicious Browser Plug-ins
PokerAgent: Introduction
• Interesting binary:• Facebook• Zynga Poker• “PokerAgent”
• MSIL/Agent.NKY
• Active: Q4/2011 - Q1/2012• Most widespread: Israel
PokerAgent: Overview
• Botnet: bots performed tasks• Extensive db of stolen Facebook
credentials
• Zynga Poker Stats• Linked Credit Card information• FB account phishing
• Trojan (probably) distributed through Facebook
PokerAgent: Details
• Zynga Poker stats
http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE%&platform=1
PokerAgent: Details
• Credit card info
https://secure.facebook.com/settings?tab=payments§ion=methods
You have <strong>X</strong> payment methods saved.
PokerAgent: Details
• Phishing• Tasks contained phishing URLs
PokerAgent: Additional details
PokerAgent: Modus Operandi
• Attacker’s motives:
• Harvest Facebook log on credentials• Check Facebook accounts for Poker stats and Credit Card
info
PokerAgent: Investigation
• Active botnet monitoring
• 800+ infected bots• 16 194+ Facebook access credentials in database
• Cooperation with:• Israeli CERT• Israeli law enforcement• Facebook
Thank you…
samples@eset.sklipovsky@eset.sk
WeLiveSecurity.comVirusRadar.com
top related