A new piece of malware being distributed by Sality uses stolen Facebook credentials to surreptitiously install rogue apps under the corresponding profiles. Sality is the world‘s top file infecting malware and dates back to 2003. The threat has evolved over the years and was fitted with P2P, self-propagation, and malware distribution functionality. According to security researchers from Symantec, at the beginning of 2011, Sality operators pushed a malicious component through its P2P network that acted as a keylogger and recorded Facebook, Blogger, and MySpace login credentials. The trojan sent the stolen credentials to a command and control (C&C) server, but also stored them locally in an encrypted file to the surprise of security researchers. That was until a new piece of malware recently distributed by Sality began making use of the login details in those encrypted files. It donwloads Internet Explorer automation scripts from a C&C server and uses the stolen credentials to login on the corresponding websites and perform predefined actions. As far as Facebook is concerned, the trojan received instructions to install a rogue application under hijacked accounts. The app, called ―VIP Slots,‖ only asked for access to basic account information. Since it does not have permission to post on the victim‘s wall, the app cannot be used for spamming purposes, but that could change in the future. Other instructions executed by this component involved opening google.com and searching for a predefined set of keywords. The purpose for this is not immediately clear.