I was in the local library at the weekend, and noticed something a little bit odd at the computer terminal section. A flash drive was sticking out of one of the PCs – more often than not, this is evidence of shenanigans and computers that really should be locked down a little better. Sure enough, this was lurking on the drive:
As you’ve probably already guessed, anyone using this program should consider changing their Facebook password as soon as possible. This is what you see when you fire the program up:
As the program loads, a website also pops in the background to give it an attempted air of legitimacy:
“this is a program that allows you to visit Facebook from school or work”.
Yes. Of course it is. The program now asks the end-user for their name, email and password, then pops up a reassuring “loading soon” message:
This is where the smoke and mirrors kick in, with a fake (yet reasonably convincing) list of “things I’m really loading up for you, honest”:
As you can see, the “loading” process goes horribly wrong at the “Search bar” stage – from here, the end-user is only ever going to see one screen and it isn’t the one telling them they’re now logged into Facebook.
The failed login is blamed on a firewall, and the stolen login credentials are placed onto the flashdrive in the same location as the executable.
All the attacker needs to do at this point is reclaim their flashdrive, take it home and do various horrible things to the stolen accounts. Always be careful when logging into services at libraries, webcafes, school and work – your alarm bells should be ringing loud and clear whenever you see a flashdrive poking out of a public computer.
We detect this as “Trojan.Infostealer”. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.