Dorkbot Malware Spotted on Facebook Chat

Facebook invests heavily in security protections for its users and advertisers; however hackers have been using a new variant of Dorkbot malware and have been using Facebook chat to infect users’ devices.

Dorkbot malware is a W32 worm that spies on internet users and records passwords and other sensitive information. This type of malware is also capable of blocking websites and preventing security updates, and has been linked to some DDoS attacks. Dorkbot malware is often delivered via messages linked to social media networks.

The worm is often installed as it looks innocent. Many users are fooled by the name the hackers have given the attachment: Facebook-profile-pic-<randomnumber>-JPEG.exe. Users see the Facebook-profile-pic name, and the JPEG, but miss the .exe on the end.

Dorkbot malware is also spread by infecting USB drives. Often this happens by creating a RECYCLER folder and registering it as the recycle bin on the removable drive. The worm creates an autorun.inf file to ensure it is automatically copied onto any device the USB connects to. However, it is also spread via instant messaging services using the Internet Relay Chat Protocol (IRC), and has recently been identified on Facebook chat. The Facebook Dork Malware variant was discovered to have exploited a security vulnerability in the MediaFire file-sharing website. Recently it was identified on Skype, but until now it had not been seen on Facebook chat.

Dorkbot malware can be controlled remotely by a hacker and configured to send messages to all Facebook contacts in an infected user’s account. A link is often sent that, if clicked, will run and install the malware on the device used to access the message. A hacker can control how fast Dorkbot malware spreads. It may not necessarily be used to instantly send messages to friend lists. Since many Facebook users share friends, if they were bombarded with numerous messages in a short space of time their suspicions would likely be roused.

Unfortunately, users trust Facebook. Sure they are aware that the social media network uses their data and shares that information with third party advertisers, but the company is generally trusted to be malware and virus free. Unfortunately, that is far from being the case. Facebook and other social media networks are full of malicious links and posts. Hackers and cybercriminals take advantage of trust in the website which allows them to infect huge volumes of users with malware.

Users may have passwords stolen, but there is an even bigger risk for businesses. Corporate secrets and login credentials could be stolen by Dorkbot malware and sent to hackers’ command and control centers.

Defenses must therefore be employed to reduce the risk of employees inadvertently infecting their work computers and networks. If a BYOD scheme is in operation the risk is even higher.

Since Dorkbot malware can be spread via USB drives, one Facebook user could end up infecting multiple computers, while the hacker could send Dorkbot malware to all of their work colleagues via Facebook chat.

Fail to implement robust, multi-layered security defenses and the consequences for your business could be severe!