A new variant of the Dorkbot malware infects Facebook users worldwide, spreading from one friend to another through the social network’s internal chat. The Bitdefender Labs have caught and blocked the worm, which is capable of spying on users’ browsing activities and stealing their personal details. The malware family mainly circulates in the US, India, Portugal, the UK, Germany, Turkey and Romania.
The infection was originally flagged by MediaFire, who detected that the malware was being distributed disguised as an image file. Despite the misleading extension, MediaFire identified the file as a .exe and immediately notified Bitdefender of the threat.
The Dorkbot malware poses as a “jpg” image but is actually an executable file. As an IRC bot, the malware is easily coordinated by the attackers from a control and command server. Besides stealing usernames and passwords, the botmaster may also order other malware downloads.
MediaFire has taken steps to address incorrect and misleading file extensions in an upcoming update, which identifies and displays a short description identifying specific file types. To help users for this specific instance, the file sharing service will also block any files with double extensions, such as .jpg.exe, .png.exe, or .bmp.exe.
A variant similar to the one currently spreading was detected by the antivirus company two years ago. Like other malware, Backdoor.IRCBot.Dorkbot can update itself once installed on the victim’s computer.
The dangerous software may hide its presence and prevent antivirus software from running vital security updates. Besides instant messaging, Dorkbot can also spread through USB devices. A technical description is available on the Bitdefender website.
This is not the first time the malware, which uses Internet Relay Chat to send and receive data, was repacked to avoid detection. In 2011, another nasty variant reinvented itself to haunt users’ systems.
Bitdefender has noticed the number of malicious URLs spreading through social networks has increased in the last couple of years. At the same time, heightened security awareness has helped slow traditional phishing attacks. Viruses are mostly propagated through Facebook scams such as “guess who viewed your profile”, which trigger users’ curiosity in simple but efficient social engineering attacks. According to recent Bitdefender studies, other popular baits tricking users to click on malicious links include Rihanna and Taylor Swift sex tapes.
Users should avoid clicking on suspicious links on Facebook chat or other IRC networks, even when they seem to be coming from friends. They should also scan their computers with an app such as the free Bitdefender 60-second to see if they caught the Dorkbot malware and allow their antivirus to disinfect their files.
This article is based on the technical information provided courtesy of Paul Bot and Cristina Vatamanu, Bitdefender Malware Researchers.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.