Security researchers from BitDefender have warned about a new Trojan found through Facebook which uses an unusual attack vector which involves replacing your legitimate antivirus program with a look-alike clone. The authors of this Trojan have put a lot of work into this ingenious piece of code which spreads itself via advanced social engineering in a similar manner to the old Koobface worm.
In essence what this Trojan does begins with Facebook. It will hijack your Facebook session and will then send messages to all of your friends via the chat function. This message will claim that these users are a star of a new video that has been posted on Youtube. Personally I would say that is sufficiently suspicious to warrant not checking it out but you know what they say; Curiosity Killed The Computer.
Should you be
dumb inquisitive enough to check the video clip out then you will be taken to a Youtubeesque page that will indeed have a video on it. The ‘clever’ part here is that your name will be in the title of the video and there will be comments about it posted by your Facebook friends. These, of course, have all been engineered from your own Facebook profile in order to make the ruse look far more credible.
At this point many people may well be tempted to watch the video but there is a snag, the classic ‘you need to download an updated version of Flash Player’ in order to match the movie. But of course a new Flash Player is not what you really get. Instead you will be treated to Trojan.FakeAV.LVT. Once this Trojan has found its way onto your system it will block notifications from your firewall, lock off Windows update and stop any antivirus program you have installed.
You will then be faced with a pop-up asking you to reboot your computer which will in fact lead to your legitimate antivirus program being uninstalled. When your computer restarts the Trojan will utilise bcdedit.exe in order to force your machine into Safe Mode. A fake antivirus program will have been installed at this time. What is different about this fake av is the fact that it will have been configured to look like your real one that had just been uninstalled, leading to you thinking you were still protected. That, of course, couldn’t be any further from the truth as the Trojan will now have left you wide open to all the new malware it will now install onto your computer.