Spammer:Win32/Fifesock.F is a component of Win32/Fifesock - a multiple component trojan family that injects code into Internet Explorer and Firefox in order to steal the user’s social networking credentials for sites such as Facebook, Twitter and Blogspot, and then uses these credentials to send spam to their contacts. It may also download and execute arbitrary files. Some variants have also been observed to install rogue security software such as Rogue:Win32/Winwebsec.
Installation
Spammer:Win32/Fifesock.F may be dropped to the %TEMP% directory and executed, along with another component which may be detected as Trojan:Win32/Fifesock.gen!A. This dropper component may also be detected with either of these two detection names. Some variants of this installer have also been observed to install and run rogue security software such as Rogue:Win32/Winwebsec.
When first run, Spammer:Win32/Fifesock.F copies itself to %APPDATA%\<3-5 random lower case characters>.exe (for example, yseuw.exe). It uses the Task Scheduler to create a task named “fbagent” to ensure that this copy is run upon user login. This results in the creation of a file at %windir%\Tasks\fbagent.job. The following shows the fbagent task in the Scheduled Tasks list:
For more details, please see the Win32/Fifesock family description elsewhere in the encyclopedia.
Payload
Sends spam to social networking contacts
Another Win32/Fifesock component, such as PWS:Win32/Fifesock.gen!A monitors the user's Internet activity while using Internet Explorer or Firefox. If the user is visiting facebook.com, the malware makes a copy of the authentication token used to log in to Facebook. Some variants also attempt to copy the user’s credentials for Twitter and Blogspot.
Once the credentials have been successfully retrieved and passed to it, Spammer:Win32/Fifesock.F may contact a server such as the following for further instructions:
- fotoshare-dknc.com
- fotoshare-2dknc.com
- ddk100.com
- ddk2200.com
The server may respond with a message, which the malware sends to the user’s contacts for these social networking sites. The server may specify a URL to be appended to this message, from which the message recipient may download an arbitrary executable. If this executable is Win32/Fifesock’s installer, this may be a means of spreading Win32/Fifesock to the user’s contacts.
This component may also attempt to generate new Blogspot accounts and send details of these accounts to the server.
Additional information
The malware may store a randomly generated 24 character alphanumeric system identifier under HKCU\Software\systems\SystemID.
For example,
In subkey: HKCU\Software\systems
Sets value: SystemID
With data: mZU2YgqCAk8h7RJ1wFDd2fYZ
It may also store status information under the following registry keys:
- HKCU\Software\facebook
- HKLM\Software\facebook
- HKCU\Software\blogspot
- HKLM\Software\blogspot
- HKCU\Software\twitter
- HKLM\Software\twitter
Analysis by David Wood
