The ‘PokerAgent’ botnet, which we have tracked in 2012, was designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats, presumably with the intention to mug the victims. The threat was mostly active in Israel. 800 computers were infected, over 16194 Facebook credentials stolen.
ESET Security Research Lab has discovered an attention-grabbing Trojan horse about a year ago. The signs which indicated that it would be something interesting were references to Facebook, its Zynga Poker App (seen from the text strings in the binary), the executable name “PokerAgent” and botnet features – the Trojan would request tasks from a C&C server.
ESET has been detecting the different variants of the Trojan generically as MSIL/Agent.NKY. After the initial discovery, we were able to find other versions of the Trojan, both older and newer, and acquire detection statisticswhich have revealed that the Trojan was most active in the country of Israel.
We have performed a deep analysis of the Trojan’s source code (which was quite trivial as it was programmed in C#, which is easily to decompile) and started monitoring the botnet. The findings are presented below.
Additional technical details are available in the whitepaper.
The malware author/attacker has an extensive database of stolen Facebook credentials – login names and passwords. At first, we didn’t know how he had acquired the credentials, but later on in the investigation this became clear. When the bot connects to the C&C server, it requests tasks to carry out. One such “task” equals one Facebook user. The Trojan is programmed to log into this Facebook account, and collect the following information:
The Zynga Poker user statistics are acquired by parsing the response from the URL: http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE% &platform=1
This returned response looks something like the one below, and contains various information about the user, such as his or her name, gender, profile picture, Zynga poker rank and points, number of ‘buddies’ and statistics on hands played in the game.
The Trojan is only interested in the gender of the user, points and rank. This information is sent back to the C&C server.
Note that in order to pose the query, the perpetrator only needs the victim’s numerical Facebook ID and a validsigned request parameter for the Zynga Poker application. Throughout the different versions of the bot, we have observed different parameters being used.
More information on the popular game Zynga Poker can be found here.
In order to ascertain the number of payment methods linked into the Facebook account, the bot first has to log into the account (using a Facebook username and password already in the perpetrator’s possession). The Trojan then browses to https://secure.facebook.com/settings?tab=payments§ion=methods and simply parses the number between html tags in the following string “You have <strong>X</strong> payment methods saved.” from the HTML page.
We advise careful consideration before storing credit card details into any app, not only Facebook!
Again, this information is sent back to the C&C server to update the attacker’s victim database.
The infected bot can be instructed to perform one other important task on behalf of a Facebook victim:
The purpose of this functionality is to direct other Facebook users (i.e. the friends of the users whose logon details have already been stolen) to a fake Facebook log-in site, in order to phish their credentials as well.
The task sent to the bot, apart from a Facebook user name and password, also contains a URL (sent in an encrypted form) and possibly some accompanying text for the post (we haven’t observed this feature being usedby the botnet, however). The Trojan, having logged in to the Facebook account, publishes the decrypted link on the Facebook user’s wall.
Here is an example:
The link would lead to a webpage like the one on the screenshot below. During our botnet monitoring, we have observed different landing pages being used. Both from our telemetry and from the text on these websites we see that the attacks were mainly targeting Israeli Internet users. The pages featured tabloid topics, which a user could be curious to click on.
Regardless of the topic of the “redirect page”, they all had one thing in common – every picture or link was an HTML link to a fake Facebook login website as seen below. Again, different URLs were used over time.
Unsurprisingly, when a victim fills in the log-in form on this counterfeit Facebook page, his credentials are sent to the attacker.
Analysis of the source code also reveals an interesting feature of the Trojan’s programming logic. The code contains a function called ShouldPublish, which determines whether the phishing links should be posted to the user’s wall. That depends on whether the victim has any credit cards linked to his account and his Zynga Poker ranking. Apparently, if one of these conditions is met, the attacker considers it a success. If not – no payment details and low Poker ranking – the Trojan seeks other victims.
It should be noted that, unlike other Trojans we often see spreading through Facebook, this Trojan does not log into or in any way interfere with the Facebook account of the user that is infected. (In fact, they may or may not even have a Facebook account.) The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer.
Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:
We can only speculate how the attacker further abuses these harvested data. The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.
Above, we have shown the fake Facebook login page that the attacker uses to lure their victims into giving them their Facebook credentials.
As far as the distribution of the “PokerAgent” Trojan itself is concerned, we haven’t been lucky enough to catch ‘in the act’ of spreading. At the time when we were monitoring the botnet in March 2012, it was no longer spreading actively. What we do know, however, is that the Trojan is downloaded onto the system by another downloader component (of which we have also seen several versions). This downloader component was seen on the web (on various dynamically changing URLs) and the victims have been fooled into downloading it.
Given the nature and techniques used by the Trojan, it’s a fair assumption that the Trojan downloader was also distributed through Facebook, making use of similar social engineering tricks.
We have been detecting the Trojan MSIL/Agent.NKY since December 3, 2011. Sometime later, we noticed that this was something that deserves more of our attention and conducted an in-depth analysis of the code, started tracking the threat and, after having analyzed its C&C protocol, began monitoring the botnet.
Thanks to our generic detection, we were able to capture both earlier and later versions of the Trojan. We have found 36 different versions of ‘PokerAgent’ with compilation timestamps from September 2011 to March 2012. MD5 hashes are provided at the end of this paper. Thus, we were able to see the malware writer actively developing his project.
Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that theattacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. Note that this number does necessarily correlate exactly to the number of valid users whose credentials have been stolen, as there could have been more, which we didn’t see. However, of those that we did see, not all entries were valid as not all users were tricked by the phishing scheme and have entered details that were obviously fake.
As can be seen from our ESET LiveGrid ® detection timeline below, the malware author seemed to have ceased actively spreading the Trojan mid-February 2012.
The attacks are regionally concentrated in only one country. Our telemetry indicates that precisely 99% of all MSIL/Agent.NKY detections by ESET security products come from Israel.
Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement. The details of the investigation cannot be disclosed for reasons of confidentiality.
Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.
The ‘PokerAgent’ case represents a successful attack against the users of the largest social network in the world and players of the largest Poker site in the world. There are, however, several security practices – aside from the obvious recommendation to use an updated anti-virus – which would have prevented the perpetrators from being so lucky.
Author Robert Lipovsky, We Live Security