Botnet malware targets MyYearbook

by

Share this news now.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The team here at Webroot has picked up on a Trojan that appears to target a relatively new social networking site: MyYearbook.com.20090427-myblot-myyb_logo

The site caters to the high-school-age crowd with activities that include various kinds of person-to-person challenges, streaming TV, and a kind of virtual matchmaker service for the tween-and-above set. We’re calling the malware that targets the site Trojan-Myblot.

We received our copy via a malicious BitTorrent download, which purportedly distributed a Windows utility. Instead, we received a file that downloaded several payloads, eventually landing our infected system firmly in the clutches of Myblot.

So what does it do? The trojan, unusual in that it requires the .Net Framework to run and was written in Microsoft’s Visual C#, runs silently in the background. While it’s running, it sends back information about the locally installed bot’s identity, whether the user of the infected system uses Gmail, and whether the infected system has received an updated bot client. It does these update checks about every 15 to 45 seconds.

Myblot reconnaisance data

Myblot reconnaisance data

Myblot phones home several times a minute

Myblot phones home several times a minute

One of MyYearbook’s activities is just called “Battles” — it’s basically a way for people to post photos of themselves, or others, and earn some sort of online cred for being voted “Scariest rollercoaster face” or “Most emo.” As if. The malware spawns popup ads that look like a Battles “IQ challenge” invitation from a teenage girl who needs to put some more clothes on. When clicked, the browser redirects the user through an ad Web site called Yeprevenue.com.

The fake MyYearbook Battles window

The fake MyYearbook Battles window

There is some good news for victims. First, the infection is easily removed, whether you sweep with Webroot Spy Sweeper or delete the file manually. The malware is also pretty badly coded, so unless all the required pieces are in exactly the right location, the Trojan fails to execute, or just throws a .Net error message and quits. Clearing your Temp folder is another way to get rid of it.

Unfortunately, there’s also bad news for users of infected machines: The server that hosts the fake Battles ad also has a tendency to redirect the browser elsewhere. In particular, the browser on my test system was pushed through two separate Web sites that used browser exploits and obfuscated Javascript code to eventually infect the system with another obnoxious piece of malware, Trojan-Relayer-Jolleee.

Jolleee quietly sends spam from infected machines to unsuspecting users, getting lists of victims and the message text from servers it contacts. So while it looks like we can easily stamp out Myblot, it doesn’t want to go out quietly, without putting up a fight.


Share this news now.