PokerAgent analysis or how to hijack 16 thousand Facebook accounts
We recently published a press release on PokerAgent, which briefly described the capabilities of this malware. Now we want to present his detailed research, to tell about the goals pursued by him, and also to describe the opportunities that he opens to the intruders.
PokerAgent aims to compromise Facebook's social network and its users. We have been tracking the botnet since 2012 and found that the malicious code was designed to:
â—Ź stealing registration data of Facebook user accounts;
â—Ź stealing credit card information associated with a Facebook account;
â—Ź theft of statistics (points scored) of the user in the game Zynga Poker (for more information about it you can find here )
Our research laboratory discovered this malicious code about a year ago. In the process of analyzing it, it became obvious that we were dealing with something interesting, because we saw the following features in this code:
â—Ź Links to Facebook and Zynga Poker;
● the name of the executable file is “PokerAgent”;
â—Ź Some features of the botnet - the Trojan requested instructions from the command C & C server.
')
ESET identifies various variants of this trojan as MSIL / Agent.NKY . After the initial discovery of one of its modifications, we soon discovered others, both older and newer, and also received distribution statistics, according to which Israel was the most affected country.
We conducted an in-depth analysis of the Trojan source code (which turned out to be a simple task, since it was written in C # convenient for decompiling).
Main functionality
It's safe to say that the authors of this malicious code (or hackers involved in its distribution) had an extensive database of stolen registration data, that is, logins and passwords from Facebook accounts. At the beginning of the investigation, we could not understand how the attackers could have obtained such information, but in due course this moment became clear.
The scheme is as follows: when a bot (an infected computer) connects to a C & C server, it requests tasks to be performed. One such task compromises one Facebook user. The malicious code performs a login operation (log in) for this user and collects his statistics in the Zynga Poker game and information about credit cards stored in the account. Note that in such a scheme it is not necessary that the user's computer infected with PokerAgent has a Facebook account. The task of choosing an account to compromise is solved on the side of the C & C server, in this case the infected computer appears more like a proxy.
Obtaining statistics Zynga Poker is done through the analysis of the response to a special request sent hxxp: //facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.
php? zid = 1:% _ FACEBOOK_ID% & signed_request =% _ SIGNATURE% & platform = 1 . This returned answer (Fig. 1) contains various personal information: user name, gender, profile photo, game rating and points, as well as the number of friends.
Fig. 1. User data returned to Facebook by a special link that the malicious code uses.
Further information of interest to PokerAgent (user gender, game rating and points) is sent to the attackers' C & C server.
It is worth noting that in order to send a request, the criminal needs the victim's Facebook ID and a special “ signed request ” parameter for the Zynga Poker application (allows the application to be sure that the request was sent by Facebook). We found out that different versions of the bot use a different set of parameters.
To determine the number of payment methods associated with the account (Fig. 2), the bot performs a log in operation into the account (using the username and password of the user that the attacker already has). It then navigates to the hxxps: //secure.facebook.com/settings? Tab = payments§ion = methods link and simply parses the answer from Facebook. The malicious code is interested in the contents of the tag in the sentence “You have X payment methods saved.”.
Fig. 2. The malicious code page of interest containing the number of online payment methods.
The obtained information is also sent to the attacker's server and stored in the database.
PokerAgent has the ability to publish phishing links on the wall of the user under whose account he logged. This technique is the main way to collect registration data (logins and passwords) user accounts . The fact is that the main goal of phishing in such a scheme is to redirect the user to a page with a fake login and password entry form . Thus, if the user enters his data into this form, they are in the hands of intruders.
To publish links, attackers also use the technique of sending commands from the C & C server. A special command and information is sent to the bot, containing the login and password of the account, on the wall of which a phishing link will be posted, as well as the link itself - an encrypted URL. After receiving this information, the malicious code enters the Facebook account and publishes the already decoded link on the user's wall. An example of such a link:
Fig. 3. Phishing link that PokerAgent places on the user's wall to get registration data of his friends or subscribers.
The link leads to the page that is shown in Figure 4. In the process of researching the botnet, we observed a number of similar pages from which the user was redirected to a fake login and password entry form. Our telemetry system shows that in the overwhelming majority of cases the attack was aimed at Israeli users.
Fig. 4. The page from which the user is redirected to the fake Facebook login form when clicking on one of the active elements.
Regardless of the topics on this page (Fig. 4), it has one goal - to redirect the user to a fake form to enter their registration data.
Fig. 5. A fake Facebook login form, using which the user sends his login and password to the intruders.
Analysis of the bot code shows an interesting feature of it (Fig. 6). We found a function called ShouldPublish that determines whether to place a phishing link on a user's wall or not. One of the reasons to publish a link may be the lack of credit cards linked to the account. Another is if the user has few game points or an insufficient game rating.
Fig. 6. A function that “decides” whether to publish a phishing link on a user's wall.
Attack
It should be noted that PokerAgent does not use Facebook for distribution - this is how it differs from other Trojans. The focus of the attackers in this threat was made specifically on the stealing of information , since the malicious code itself does not contain self-propagation functions.
The focus on Facebook is explained by the desire of attackers to gain access to the accounts and means of payment of users of the most popular social network. However, the bot only executes the commands of the attackers through the C & C server, which can give commands not only via Facebook. Ultimately, a bot-infected computer may not even have a social network account, it’s just that its computer will be used to perform these fraudulent activities as a proxy.
As a result of our investigation, we managed to establish that the botnet's main purpose is to constantly expand or replenish the base of stolen Facebook logins and passwords, saved credit cards, and also to collect player statistics at Zynga Poker . We can only guess what the attackers wanted to use this information - it could be sold to other cybercriminals, or the attacker could use it for some personal purpose.
Bot code
The analyzed instances of malicious code were written in C #, so this code can be decompiled to the source code with minimal loss of meaning and logic. Figure 7 shows the structure of the source code. Without going into the details of other classes, we can say that the main malicious code is in the Popup and Publish classes. Popup is responsible for obtaining the Facebook ID and returns Zynga Poker statistics for this account. Publish is responsible for posting a phishing link on a user's wall.
Fig. 7. The structure of the source code PokerAgent.
Interaction with the command C & C server
Interaction with the C & C server is carried out using the SOAP protocol. The malicious code contains two arrays stitched into the code with URLs to the main C & Cs that are encrypted using DES (URLs differ in different modifications of the Trojan program):
â—Ź The first array serves as a repository of addresses of C & C servers, where the bot needs to go for updates, a configuration file, etc .;
â—Ź The second is used to perform tasks related to stolen Facebook usernames and passwords.
The main URLs governing the C & C servers are already in the malicious code file; in essence, these URLs are links by which the bot will request real links to C & C. That is, we see a two-level method of organizing calls to C & C, which certainly adds flexibility to navigating to the right C & C links that change from time to time. The table below shows the possible commands supported by the C & C server:
An example of a GetNextTask server message:
Fig. 8. GetNextTask server message.
Facebook interaction
PokerAgent code is written in such a way as to ensure its maximum reliability when performing malicious functions associated with the social network Facebook. In particular, it monitors the status of the currently running task and sends the status of the operation to the server. The malicious code uses instances of the launched browser to navigate through the Facebook pages, thereby simulating the actions of the user himself. It then parses the HTML, fills the text, and clicks as necessary.
PokerAgent has the ability to handle special login scripts on Facebook - for example, if a user account mentions admission from only a specific device (otherwise the user will be warned about the login attempt). The code snippet below performs these actions:
Fig. 9. PokerAgent code interacting with Facebook.
To publish phishing links on the user's wall, the malicious code uses one of the two methods presented below. The configuration file determines which one to use.
The first method of publishing a link is to use the following URL hxxp: //www.facebook.com/sharer/sharer.php? U = .
Fig. 10. One way to publish phishing links used by PokerAgent.
Another way is to use the Update status form, which the user shares (HTML element with id = ”pagelet_composer”).
Fig. 11. A way to publish a phishing link using status updates.
Spread of the threat
As for the distribution of PokerAgent itself, this activity has decreased significantly since March 2012. We know that this Trojan program is downloaded to the user's computer using another malicious program - a special loader / daunloader, several versions of which were discovered by us.
This downloader was also observed on the web and spread using phishing. Given the nature and methods used by the trojan, we assume that the PokerAgent downloader has been distributed via Facebook using social engineering techniques .
We have detected PokerAgent as MSIL / Agent.NKY since December 2011. Thanks to our generic detections, we were able to detect both earlier and later versions of this malicious code. In total, 36 different versions of PokerAgent were detected with timestamps from September 2011 to March 2012. Thus, we could track the active development of the PokerAgent project.
Our botnet tracking system revealed that at least 800 computers were infected with PokerAgent, and that hackers gained access to at least 16,194 Facebook accounts.
Thanks to statistics obtained using ESET Live Grid, we recorded that the author of the malicious code had ceased to actively distribute PokerAgent since mid-February 2012.
Fig. 12. Dynamics of the spread of PokerAgent.
According to our telemetry systems, 99% of all MSIL / Agent.NKY detections were made in Israel, and it was in this country that most of the attacks were recorded. After collecting the necessary information on this case, we turned to the Israeli law enforcement agencies. The details of this investigation cannot be disclosed for confidentiality reasons. We also notified the Facebook administration, which took the necessary measures to eliminate the effects of the attack.
Conclusion and recommendations
The “PokerAgent” incident is a successful attack against users of the largest social network and players of the largest poker site. However, there are security methods, the observance of which will allow you to protect yourself from such attacks.
• Be vigilant - this is the main measure with which you can protect yourself from attacks using social engineering. Do not click on dubious links and pay attention to the address bar of your browser, opening the page with the authentication form.
• Facebook has a variety of mechanisms to improve the security of its users - in particular, the two-factor authentication mechanism. Consider using it.
• We also advise you to think carefully before allowing the browser or other applications to remember the passwords entered.
• And finally, we recommend using ESET Social Media Scanner - an application for Facebook that will take care of the security of your social network account.
PokerAgent aims to compromise Facebook's social network and its users. We have been tracking the botnet since 2012 and found that the malicious code was designed to:
â—Ź stealing registration data of Facebook user accounts;
â—Ź stealing credit card information associated with a Facebook account;
â—Ź theft of statistics (points scored) of the user in the game Zynga Poker (for more information about it you can find here )
Our research laboratory discovered this malicious code about a year ago. In the process of analyzing it, it became obvious that we were dealing with something interesting, because we saw the following features in this code:
â—Ź Links to Facebook and Zynga Poker;
● the name of the executable file is “PokerAgent”;
â—Ź Some features of the botnet - the Trojan requested instructions from the command C & C server.
')
ESET identifies various variants of this trojan as MSIL / Agent.NKY . After the initial discovery of one of its modifications, we soon discovered others, both older and newer, and also received distribution statistics, according to which Israel was the most affected country.
We conducted an in-depth analysis of the Trojan source code (which turned out to be a simple task, since it was written in C # convenient for decompiling).
Main functionality
It's safe to say that the authors of this malicious code (or hackers involved in its distribution) had an extensive database of stolen registration data, that is, logins and passwords from Facebook accounts. At the beginning of the investigation, we could not understand how the attackers could have obtained such information, but in due course this moment became clear.
The scheme is as follows: when a bot (an infected computer) connects to a C & C server, it requests tasks to be performed. One such task compromises one Facebook user. The malicious code performs a login operation (log in) for this user and collects his statistics in the Zynga Poker game and information about credit cards stored in the account. Note that in such a scheme it is not necessary that the user's computer infected with PokerAgent has a Facebook account. The task of choosing an account to compromise is solved on the side of the C & C server, in this case the infected computer appears more like a proxy.
Obtaining statistics Zynga Poker is done through the analysis of the response to a special request sent hxxp: //facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.
php? zid = 1:% _ FACEBOOK_ID% & signed_request =% _ SIGNATURE% & platform = 1 . This returned answer (Fig. 1) contains various personal information: user name, gender, profile photo, game rating and points, as well as the number of friends.
Fig. 1. User data returned to Facebook by a special link that the malicious code uses.
Further information of interest to PokerAgent (user gender, game rating and points) is sent to the attackers' C & C server.
It is worth noting that in order to send a request, the criminal needs the victim's Facebook ID and a special “ signed request ” parameter for the Zynga Poker application (allows the application to be sure that the request was sent by Facebook). We found out that different versions of the bot use a different set of parameters.
To determine the number of payment methods associated with the account (Fig. 2), the bot performs a log in operation into the account (using the username and password of the user that the attacker already has). It then navigates to the hxxps: //secure.facebook.com/settings? Tab = payments§ion = methods link and simply parses the answer from Facebook. The malicious code is interested in the contents of the tag in the sentence “You have X payment methods saved.”.
Fig. 2. The malicious code page of interest containing the number of online payment methods.
The obtained information is also sent to the attacker's server and stored in the database.
PokerAgent has the ability to publish phishing links on the wall of the user under whose account he logged. This technique is the main way to collect registration data (logins and passwords) user accounts . The fact is that the main goal of phishing in such a scheme is to redirect the user to a page with a fake login and password entry form . Thus, if the user enters his data into this form, they are in the hands of intruders.
To publish links, attackers also use the technique of sending commands from the C & C server. A special command and information is sent to the bot, containing the login and password of the account, on the wall of which a phishing link will be posted, as well as the link itself - an encrypted URL. After receiving this information, the malicious code enters the Facebook account and publishes the already decoded link on the user's wall. An example of such a link:
Fig. 3. Phishing link that PokerAgent places on the user's wall to get registration data of his friends or subscribers.
The link leads to the page that is shown in Figure 4. In the process of researching the botnet, we observed a number of similar pages from which the user was redirected to a fake login and password entry form. Our telemetry system shows that in the overwhelming majority of cases the attack was aimed at Israeli users.
Fig. 4. The page from which the user is redirected to the fake Facebook login form when clicking on one of the active elements.
Regardless of the topics on this page (Fig. 4), it has one goal - to redirect the user to a fake form to enter their registration data.
Fig. 5. A fake Facebook login form, using which the user sends his login and password to the intruders.
Analysis of the bot code shows an interesting feature of it (Fig. 6). We found a function called ShouldPublish that determines whether to place a phishing link on a user's wall or not. One of the reasons to publish a link may be the lack of credit cards linked to the account. Another is if the user has few game points or an insufficient game rating.
Fig. 6. A function that “decides” whether to publish a phishing link on a user's wall.
Attack
It should be noted that PokerAgent does not use Facebook for distribution - this is how it differs from other Trojans. The focus of the attackers in this threat was made specifically on the stealing of information , since the malicious code itself does not contain self-propagation functions.
The focus on Facebook is explained by the desire of attackers to gain access to the accounts and means of payment of users of the most popular social network. However, the bot only executes the commands of the attackers through the C & C server, which can give commands not only via Facebook. Ultimately, a bot-infected computer may not even have a social network account, it’s just that its computer will be used to perform these fraudulent activities as a proxy.
As a result of our investigation, we managed to establish that the botnet's main purpose is to constantly expand or replenish the base of stolen Facebook logins and passwords, saved credit cards, and also to collect player statistics at Zynga Poker . We can only guess what the attackers wanted to use this information - it could be sold to other cybercriminals, or the attacker could use it for some personal purpose.
Bot code
The analyzed instances of malicious code were written in C #, so this code can be decompiled to the source code with minimal loss of meaning and logic. Figure 7 shows the structure of the source code. Without going into the details of other classes, we can say that the main malicious code is in the Popup and Publish classes. Popup is responsible for obtaining the Facebook ID and returns Zynga Poker statistics for this account. Publish is responsible for posting a phishing link on a user's wall.
Fig. 7. The structure of the source code PokerAgent.
Interaction with the command C & C server
Interaction with the C & C server is carried out using the SOAP protocol. The malicious code contains two arrays stitched into the code with URLs to the main C & Cs that are encrypted using DES (URLs differ in different modifications of the Trojan program):
â—Ź The first array serves as a repository of addresses of C & C servers, where the bot needs to go for updates, a configuration file, etc .;
â—Ź The second is used to perform tasks related to stolen Facebook usernames and passwords.
The main URLs governing the C & C servers are already in the malicious code file; in essence, these URLs are links by which the bot will request real links to C & C. That is, we see a two-level method of organizing calls to C & C, which certainly adds flexibility to navigating to the right C & C links that change from time to time. The table below shows the possible commands supported by the C & C server:
An example of a GetNextTask server message:
Fig. 8. GetNextTask server message.
Facebook interaction
PokerAgent code is written in such a way as to ensure its maximum reliability when performing malicious functions associated with the social network Facebook. In particular, it monitors the status of the currently running task and sends the status of the operation to the server. The malicious code uses instances of the launched browser to navigate through the Facebook pages, thereby simulating the actions of the user himself. It then parses the HTML, fills the text, and clicks as necessary.
PokerAgent has the ability to handle special login scripts on Facebook - for example, if a user account mentions admission from only a specific device (otherwise the user will be warned about the login attempt). The code snippet below performs these actions:
Fig. 9. PokerAgent code interacting with Facebook.
To publish phishing links on the user's wall, the malicious code uses one of the two methods presented below. The configuration file determines which one to use.
The first method of publishing a link is to use the following URL hxxp: //www.facebook.com/sharer/sharer.php? U = .
Fig. 10. One way to publish phishing links used by PokerAgent.
Another way is to use the Update status form, which the user shares (HTML element with id = ”pagelet_composer”).
Fig. 11. A way to publish a phishing link using status updates.
Spread of the threat
As for the distribution of PokerAgent itself, this activity has decreased significantly since March 2012. We know that this Trojan program is downloaded to the user's computer using another malicious program - a special loader / daunloader, several versions of which were discovered by us.
This downloader was also observed on the web and spread using phishing. Given the nature and methods used by the trojan, we assume that the PokerAgent downloader has been distributed via Facebook using social engineering techniques .
We have detected PokerAgent as MSIL / Agent.NKY since December 2011. Thanks to our generic detections, we were able to detect both earlier and later versions of this malicious code. In total, 36 different versions of PokerAgent were detected with timestamps from September 2011 to March 2012. Thus, we could track the active development of the PokerAgent project.
Our botnet tracking system revealed that at least 800 computers were infected with PokerAgent, and that hackers gained access to at least 16,194 Facebook accounts.
Thanks to statistics obtained using ESET Live Grid, we recorded that the author of the malicious code had ceased to actively distribute PokerAgent since mid-February 2012.
Fig. 12. Dynamics of the spread of PokerAgent.
According to our telemetry systems, 99% of all MSIL / Agent.NKY detections were made in Israel, and it was in this country that most of the attacks were recorded. After collecting the necessary information on this case, we turned to the Israeli law enforcement agencies. The details of this investigation cannot be disclosed for confidentiality reasons. We also notified the Facebook administration, which took the necessary measures to eliminate the effects of the attack.
Conclusion and recommendations
The “PokerAgent” incident is a successful attack against users of the largest social network and players of the largest poker site. However, there are security methods, the observance of which will allow you to protect yourself from such attacks.
• Be vigilant - this is the main measure with which you can protect yourself from attacks using social engineering. Do not click on dubious links and pay attention to the address bar of your browser, opening the page with the authentication form.
• Facebook has a variety of mechanisms to improve the security of its users - in particular, the two-factor authentication mechanism. Consider using it.
• We also advise you to think carefully before allowing the browser or other applications to remember the passwords entered.
• And finally, we recommend using ESET Social Media Scanner - an application for Facebook that will take care of the security of your social network account.
Source: https://habr.com/ru/post/169385/
All Articles