PokerAgent botnet was discovered in 2012 by ESET Security Research Lab, which is a Trojan horse designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats.
According to latest report, the botnet is still active mostly in Israel and 800 computers were infected, where over 16194 Facebook credentials stolen. The Trojan is active with many variants and belongs to MSIL/Agent.NKY family.
ESET reveal that, the Trojan is coded in C# language and easy to decompile. After deep analyse, team found that the bot connects to the C&C server. On command, Trojan access the Facebook account of victim and collects the Zynga Poker stats and number of payment methods (i.e. credit cards) saved in the Facebook account. Once collected, information sent back to the C&C server.
The Trojan is downloaded onto the system by another downloader component. This downloader component was seen on the web and the victims have been fooled into downloading it.
ESET tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. "We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!)." ESET advice.
About the author