Win32/Fifesock is a multiple component trojan family that injects code into Internet Explorer and Firefox in order to steal the user’s social networking credentials for sites such as Facebook, Twitter and Blogspot, and then uses these credentials to send spam to their contacts. It may also download and execute arbitrary files. Some variants have also been observed to install rogue security software such as Rogue:Win32/Winwebsec.
Installation
When run, Win32/Fifesock’s installer component drops two further components to the %TEMP% directory and runs them. These components consist of an additional installer component, which may be detected as Trojan:Win32/Fifesock.gen!A, and a spam component, which may be detected as Spammer:Win32/Fifesock.A. Some variants of Win32/Fifesock have also been observed to install and run rogue security software such as Rogue:Win32/Winwebsec.
The Trojan:Win32/Fifesock.gen!A component copies itself to %APPDATA%\<3-5 random lower case characters>.exe (for example, "ccfzg.exe").
It drops two DLLs to the %TEMP% folder using temporary file names generated by the computer (for example, "15a.tmp").
It then deletes the existing print provider and adds the second of these DLLs, which may be detected as Trojan:Win32/Fifesock.gen!B, as a replacement print provider. This ensures the DLL is run when the computer starts. Once it has been added as a print provider, the DLL is deleted when the computer is next restarted.
This second DLL, when first run, creates a mutex such as “systemsmssrvc”
The trojan creates the following registry entry to ensure that the installer component runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: <file name of malware copy> (for example, "ccfzg.exe")
With Data: <path name of malware> (for example, "%APPDATA\ccfzg.exe")
The DLL then places a modified copy of itself to the %TEMP% folder using another system generated temporary file name. This copy attempts to inject code from the first of the dropped DLLs (which may be detected as PWS:Win32/Fifesock.gen!A) into iexplore.exe and firefox.exe processes if they are running.
When the spam component is first run, it also copies itself to the %APPDATA% directory, using another file name with 3-5 random lower case characters. It uses the Task Scheduler to create a task named “fbagent” to ensure that this copy is run upon user login. This results in the creation of a file at %windir%\Tasks\fbagent.job. The following shows the fbagent task in the Scheduled Tasks list:
Payload
Terminates Internet Explorer and Firefox, and deletes cookies
When run, Fifesock’s additional installer component terminates any Internet Explorer or Firefox processes that are running. It also attempts to delete all Internet Explorer and Firefox cookies.
This forces the user to re-authenticate themselves to their social networking sites when they next use these browsers to visit them.
Downloads and executes arbitrary files
Each time it is successfully run, a component of Win32/Fifestock, which may be detected as PWS:Win32/Fifesock.gen!A, reports back to a server such as the following:
- fotoshare-dknc.com
- fotoshare-2dknc.com
- ddk100.com
- ddk2200.com
This server may respond with a URL containing the location of an update if one is available. If so, the malware will download the file from that location, save it to the %TEMP% directory, then execute the downloaded file.
Sends spam to social networking contacts
After it has been injected into Internet Explorer or Firefox, a component such as PWS:Win32/Fifesock.gen!A hooks a number of Internet APIs that are commonly used by these browsers. This allows it to monitor the URLs the user is visiting, and the other data that is being exchanged between the user and the servers at these URLs. If the user is visiting facebook.com, the malware will make a copy of the authentication token used to log in to Facebook. Some variants also attempt to copy the user’s credentials for Twitter and Blogspot.
Once it has successfully retrieved these credentials, it will pass them to its spam component. This may contact one of the servers mentioned in the previous section for further instructions. The server may respond with a message, which the malware will then send to the user’s contacts for these social networking sites. The server may specify a URL to be appended to this message, from which the message recipient may download an arbitrary executable. If this executable is Win32/Fifesock’s installer, this may be a means of spreading Win32/Fifesock to the user’s contacts.
This component may also attempt to generate new Blogspot accounts and send details of these accounts to the server.
Additional information
The malware may store a randomly generated 24 character alphanumeric system identifier under HKCU\Software\systems\SystemID.
For example,
In subkey: HKCU\Software\systems
Sets value: SystemID
With data: mZU2YgqCAk8h7RJ1wFDd2fYZ
It may also store status information under the following registry keys:
- HKCU\Software\facebook
- HKLM\Software\facebook
- HKCU\Software\blogspot
- HKLM\Software\blogspot
- HKCU\Software\twitter
- HKLM\Software\twitter
Analysis by David Wood