“Lecpetex”, named by Microsoft, was a lesser known bit of malware that first started to show a pattern about seven months ago. Giving a way in to the infected computer via the social account itself, it would hijack user accounts to promote spam files that further spread the malware.
This became a big enough issue that most of us will have seen at least one person become a target. Greek police estimated around 250,000 computers had been affected by Lecpetex.
At first, this was a problem that was addressed within organizations themselves, such as by the Facebook and Microsoft teams. However, in April the problem had become so severe that the issue was escalated to the Cybercrime Subdivision in Greece.
By July, the police had arrested two suspects believed to be responsible for the malicious Java coding that spread the malware. They were also allegedly working on a scheme to launder stolen BitCoin.
How The Botnet Works
The botnet itself is very simple. When exposed to the malware, which was passed through corrupt Java script code, modules were created on their system. These modules work to establish a link between the hackers and the infected, mining and transferring data. In this case, it was mining the social media credentials to post through private messages on behalf of the user.
Once it had established a link, the malware would evolve, updating itself to avoid detection through standard virus software. So users could have the malware installed for months and not know it. Changing their password when it began to post on their account would have no affect.
Because it was coming from trusted friends, many people ran this file and infected their computer.
Facebook’s Fight Against The Botnet
Facebook began putting in counter measures that took information directly from the malware. They used that information to put security features in place that made it more difficult to send messages from the bot itself. At that point, two things happened: 1) the authors of the malware began to send messaged instead from disposable email accounts; and 2) they started leaving messages for the Facebook team in the C&C servers.
In those messages, they claimed that they were not running a fraud scheme, just doing some mining. Now that they have been taken into custody, it doesn’t seem likely that those comments will work in their favor.