Malware Expands to Instagram

Monday, August 19, 2013 @ 04:08 PM gHale

Newer versions of the ZeuS malware are doing much more than just stealing sensitive information from computers.

One variant of the malware uses compromised systems to check for availability of Instagram usernames, said researchers at RSA.

Malware Shifts to New Port Range
Most of Citadel Botnet Down
Spam Botnet Dodges Detection
Customized Mobile Number Harvesting

Once it lands on a computer, the malware downloads several additional components. The hashes of the threat change often to avoid detection by antivirus solutions, but the size of the file is always the same.

After the additional malicious components end up downloaded and installed, ZeuS performs search engine queries, most likely in an effort to promote malicious websites in search engine results.

Then, it starts checking for the availability of Instagram usernames via the social media network’s mobile API.

“For servers and virtual machines running Windows operating systems, Instagram API calls are pushed into Instagram by spoofing User-Agent strings in an attempt to disguise the traffic as a Smartphone running an Android operating system,” said RSA senior researcher “Fielder.”

The threat checks usernames comprised of a dictionary word followed by a series of four or more random characters.

Experts believe the malware is checking the availability of Instagram usernames in an effort to create an army of fake Instagram users that can later end up sold as followers to individuals or organizations that want to boost their popularity.

In addition to checking for usernames, the malware is also capable of automatically liking photos posted on other Instagram accounts.

“The latest Zbot variant appears to be upping its game with new features and functionality. Search engine optimization abuse and Instagram account abuse could just be the beginning,” “Fielder” said.

One Response to “Malware Expands to Instagram”

  1. […] Malware Expands to Instagram – A new variant of the ZeuS trojan is now searching for Instagram user names. The malware uses API calls to try to pull down this data, checking for usernames that are dictionary words, followed by up to 4 characters. The thought is that the malware producer is looking to create an army of Instagram followers for sale. This malware can also like other Instagram images. Via ISS Source, more here. […]

Leave a Reply

You must be logged in to post a comment.