Social networking Web sites have become a popular pastime and are a means of staying in touch with friends for many people. Yesterday, Websense reported on a Trojan keylogger aimed at users of Habbo, a popular social networking site for teenagers. This is not the first time teenagers and children have been targeted. One of the first instances was a worm called W32.Pokey that used the Pikachu character from Pokemon as a social engineering tactic.
In the Habbo case, users are duped into believing they are getting tools that will give them the opportunity to make a name for themselves in Habbo without having to fork out the costs. In fact what they are getting is a malicious Trojan horse program that logs keystrokes on the compromised computer and sends the logs to the following email address:
NuckLfYaBuck@aol.com
Symantec detects this risk as Infostealer.Keyhabt. Upon analysis of the purported Habbo tools, Symantec found the executable files to be custom written and identical. The executable, once executed, drops a DLL into the System32 folder. The DLL in question is remarkably similar to a DLL seen in another risk which Symantec detects as Spyware.SCKeyLogger. However, it is unlikely that this DLL comes from the same company.
As always, Symantec recommends caution when using third party applications. Symantec has also in the past examined the use of social networking sites in the workplace and business. For further information please refer to our Ask the Expert document.
Thanks to Takayoshi Nakayama and James O'Connor for their analysis.


More...