Social Toolbar Ploy Delivers Trojan

By Matthew Hines  |  Posted 2009-02-18 Print this article Print

Researchers at security giant McAfee have uncovered a new threat that hides alongside a legitimate social networking toolbar application and delivers a backdoor Trojan attack as part of its payload.

According to a blog post filed on the company's AVERT team site by researcher Dennis Elser on Tuesday, the newly discovered attack targets users of a German Web 2.0 site, and bundles the legitimate toolbar for "StudiVZ" with a variant of the previously known Backdoor-CEP Trojan attacks.

"Among other malicious activities, the backdoor is capable of recording a user's screen, taking screenshots, and logging keyboard strokes, Elser writes. "At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it's being observed through a sandbox or a debugger."

However, once downloaded, the installer attempts to inject parts of its malicious code into running processes or may start a legitimate process in suspended state, the expert reports.

The attack then "unmaps its content and remaps different, malicious content to the process before resuming it again."

Elser noted that the involved malware is difficult to detect because it is decrypted and injected into an affected system's memory and never written to its disk.

Once the toolbar installer has completed its download, it automatically opens Internet Explorer to go to the StudiVZ networking site's login page. By the time the users attempts to log-in, the backdoor will have infected "a number of running processes in memory and installed a callback to capture and save any keystrokes," the expert said.

While the author of this variant of Backdoor-CEP seems to be mainly focused on stealing credentials for StudiVZ, the campaign illustrates the types of attacks that users of other social networking sites will likely be exposed to at some point.

As URLs including Facebook and MySpace have millions more users than the German site, it's not hard to imagine that attackers may aim similar threats at those audiences.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel