Researchers at Symantec have uncovered a Trojan using Facebook as a
coordinator for its command and control server.
The Trojan malware, known to Symantec
as Whitewell, is being spread via e-mail through "documents (PDF, or
MS Office formats) containing exploits for known vulnerabilities," Andrea
Lelli, a security analyst with Symantec Security Response, wrote on a Symantec
blog Oct. 31. The malware works by contacting the mobile version of Facebook
and using its Notes section. By analyzing the Trojan's code, Lelli found that
the Trojan will perform four different actions, depending on the notes' titles
that are found.
If the title is Wells, the note will contain the timedate stamp for when a
machine was infected. If it is WebServer, however, the note will contain a URL
to be contacted from which the Trojan will receive commands, Lelli wrote.
Small
botnets are causing big security problems for enterprises. Click here to read
more.
"The real command and data processing is done through the remote URL
that was received from the notes, and this URL may point anywhere," Lelli
blogged. "However ... one could use a Facebook account as a C&C
[command and control] server and this Trojan is able to successfully parse the
Facebook html data, retrieve the wanted data from it, and also post new data to
it (it may for example send stolen data to it in the form of a note in the same
[way] as it sends a timedate stamp)."
To
read about how Facebook password spam concealed a malware attack, click here.
If the note has the title 'White', it contains a URL that leads to an
executable to be downloaded. If the title is anything else, the Trojan is
programmed to wait, Lelli wrote.
This is not the first time social networks have been used to help control
malware. In August, Arbor Networks researcher Jose
Nazario uncovered a botnet using Twitter to communicate with its army of
compromised machines.
According to Symantec, in this case, the documents containing the malware
are made to look legitimate to conceal their intent, mimicking for example the
names of well-known courier companies and utilizing popular headlines
from the news media.
"Besides documents they can also spread the executables themselves,
sending them with icons that resemble those that accompany legitimate
documents, and with legit-looking file names such as 'Competitive
assessment.pdf .exe,'" Lelli wrote.
"I want to stress the fact that the Trojan does not use exploits or
flaws of any kind; it simply uses the standard Facebook functionalities, which
in no way are malicious, dangerous or faulty," Lelli added. "This
particular Trojan is quite limited and seems to be a targeted attack, but it
can be considered a precursor of a botnet using a social network as a C&C
server."
Gerry Egan, director of Symantec Security Response, said the company has not
observed a significant number of infections and believes the Trojan to be part
of a limited, targeted attack.
Editor's Note: This story was updated to add additional commentary from
Symantec.
IT Security & Network Security News & Reviews News & Reviews 
