|
|
|
Symantec Uncovers Trojan Scheme Using Facebook
By: Brian Prince
2009-11-02
Article Rating: / 14
There are 2 user comments on this Network Security & Hardware story.
Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.Researchers at Symantec have uncovered a Trojan using Facebook as a
coordinator for its command and control server.
The Trojan malware, known to Symantec
as Whitewell, is being spread via e-mail through "documents (PDF, or
MS Office formats) containing exploits for known vulnerabilities," Andrea
Lelli, a security analyst with Symantec Security Response, wrote on a Symantec
blog Oct. 31. The malware works by contacting the mobile version of Facebook
and using its Notes section. By analyzing the Trojan's code, Lelli found that
the Trojan will perform four different actions, depending on the notes' titles
that are found.
If the title is Wells, the note will contain the timedate stamp for when a
machine was infected. If it is WebServer, however, the note will contain a URL
to be contacted from which the Trojan will receive commands, Lelli wrote.
Small
botnets are causing big security problems for enterprises. Click here to read
more.
"The real command and data processing is done through the remote URL
that was received from the notes, and this URL may point anywhere," Lelli
blogged. "However ... one could use a Facebook account as a C&C
[command and control] server and this Trojan is able to successfully parse the
Facebook html data, retrieve the wanted data from it, and also post new data to
it (it may for example send stolen data to it in the form of a note in the same
[way] as it sends a timedate stamp)."
To
read about how Facebook password spam concealed a malware attack, click here.
If the note has the title 'White', it contains a URL that leads to an
executable to be downloaded. If the title is anything else, the Trojan is
programmed to wait, Lelli wrote.
This is not the first time social networks have been used to help control
malware. In August, Arbor Networks researcher Jose
Nazario uncovered a botnet using Twitter to communicate with its army of
compromised machines.
According to Symantec, in this case, the documents containing the malware
are made to look legitimate to conceal their intent, mimicking for example the
names of well-known courier companies and utilizing popular headlines
from the news media.
"Besides documents they can also spread the executables themselves,
sending them with icons that resemble those that accompany legitimate
documents, and with legit-looking file names such as 'Competitive
assessment.pdf .exe,'" Lelli wrote.
"I want to stress the fact that the Trojan does not use exploits or
flaws of any kind; it simply uses the standard Facebook functionalities, which
in no way are malicious, dangerous or faulty," Lelli added. "This
particular Trojan is quite limited and seems to be a targeted attack, but it
can be considered a precursor of a botnet using a social network as a C&C
server."
Gerry Egan, director of Symantec Security Response, said the company has not
observed a significant number of infections and believes the Trojan to be part
of a limited, targeted attack.
Editor's Note: This story was updated to add additional commentary from
Symantec.
|
|
�������xr8(�ViW1E*dK.kJ<\"�� IlSt~}7��7-䥪zrw��&DnH$�?�{$�=!]XX�cQݥ&$~ᝯ4i-rː�ԭer�S�s0eNZFOL��}@n}Fw��D%x�_'Щ=ѩ:wɔ_Sلx^͙ۗ6}nvb�.�pѲ
Q�m
x�yK<�%C�%ߙ�s�Qs,8"A}c%ALwn=Gd�Yǽ���
(ʻ�f�zi��r�hP�;U�yAeh� -L�r&$dqM�C
*Y6d�D=DV�,w2*5";1ґc� �u�
�qarJ�*JX�tGsM: fK�u1`?wlqAOp1�I�ݢQ/!_Cbp`eF�S�F>2=h�G'�st
̿{���#M6�µL}E5�GlR<
=�y74oJa}zK��WM�E.�2ؗCY,@閩dm˺us*bUrGrT�G{]δ
γL{qo*sYݙk돿;\?o]d� #Ko�
-�ij^Tt'~t@{Z;yT} ��i^_adm+1��y R*G8�y_4S�::yXOB�$>"yd�Z�j�y5��KHS�Q$�XIcF/X�%WEb9n�M:�./.��NΎ/ۭS$IJ5<�rYU�JH�j�vF�oMzEi}]i4['>gg�:�Q��ڟ-lO/k��lxmķx?-u=`kh2�`;�9RRJJ=�OEL}x>!�I'�4ɿ���0djg,YngH&N|�|Y|؛Y72i��4(�=
8��X@.@ש!04۫iVV5V0|�[R#E/��
'�|�!8Jn.r?uK��gfy՜(�YWf�wÑ�r]ǞO[eI�~�?u[~C�T��364>@�,I�!eݴ%��aMm{Q-",T
b~�^1�q�-^vj0B��m�L�t-,?y�6 i
�vڌh�>Q\j#ͶcO�Gs�>h2胆6md�-k$�
,70}H{@zaI�$4�ح�.,=�J�PA=x3k�
&z 4H h&r\�kIMlǃ.?6�
[
K`r��ɭ 5�zY0kwMGHb1(���բw�ρ�-Y4�u�'(�@=�> ��ڭfZȴc@\j,tJ0$w2Z}'%n.K)$C{ >��hI#r�����
B1,`@n�!`� [AX;ʫ� a�+B
.��t@�GRǙ8CX/�4aGe�-n^
�d3�C$dYu QQY~p��$PEq5ҋS)���"|kV� U�p���9݅#rQϚX� %<).�ƲB"5w�c�c�ښJuIY(�2+%<�k1!�I�/
5㖺Q\�Ό)9Ag��
��Uw誟F�_fSZlzQn^u 9b@{2Km���*$F�@HV\�_X5oQֆ�W0&���,�)��iY�l`c!�sz�QIj·еcc�96q?n(W\��ȄeF<*E5TZ�
>ڹa��K���(N�8wCJ$l%I��){�=hZ�F�]: Sgz퓏6L'�lBm�g>u� M
sMѭ,��p8*TkT=C�kab}OE3�c�a�{�60g@u�_X:lnjrYYTO[kʞtސ��Ws>8ĢTQق*�\)F�w ` N� {ҧӲ|h�<|>CX�&,��\$�����] ��m�"�9c T��a/��_LQ0(T#nƻhA��{
X]�(X��Ӟ?DJS}O].C+DÜU^o-b�$r%#tC-)J|TP28+x%\Ag�^v̻(
�J�oNu��)j}a:0;_�3}h�1gs:ה��
`3�tx�큹ߙ-K)#�Z$ c`7� _��s.UB�Y�G���Yw
�S�Ŗ៦
wO��GA.C���Mt��Ajߙ�,@
�ܠـ�aҪR)4?A��ޯXNz7H"DzԴ'
�*d5�6�
�0�nG�/\����H+��yu揙�0k-�dpMɕ¾_Xv+^�t�n�)5#S
�#2>pg��rh)Mf5
Ƚ�'nϮI�7ATcǭ\1W*�b
R=cxYx;sSdmj{}6�7N;oE
靚{�h U�̐,<�B�|jb"
ٸ1uA5�cn6c��ML��{Z���r p9M�|t?$7@$J\RCV�:O\͠1p�
B.M4��yH�rS-|�dqQT5��UB9_Vx
�y5[��v�aN�06\3]5^$@�M|COyP]8۸�Tf<^��ΈۋC9537O�f@�-�Pӵ9^qW�::
�5;a,�XLh;I�CX�q74c
ְ�J3dFVTXIԊ+yI<�O����h �t��E�ˤCGTT7Fozk}GD�oS[�U�5c����#TP�Hw�ض\,2G?'}Da�q=C ITW�Dw),y~w9ހg9�|Tʕ2
Gr2��DBRNBq<:N}+�4C��Z6�wOXM�yxK�Mo$DDOC�VG�gX&1WKƼ _3Z c�Cs7}Z=M_BP`n�&s,$\�auv�>g�
+f[q.7+�u��ʶO{�mw>� ��?i�ۃv���a�aRҸa@C�~ֿ�IySjw��ZTc0K!{�:gUށ�
�`i4Ajx{DC>RjW
ۋF> ]whg �`�y�B|+ǽ�p�s%^w��N%{��.;Oz��܃�C��FW!zN:ep6i)q�&�m2YG82~q���ST8 uÀ@Hyc]6[X0z)ӱ�B3ZUe1|�
ʢG�8?ּ 9kbJofok,`6tmN-ڗ%{vOKr4�]9e'�Ucd{q2$Bd�Eͪ2�ɞZEVdΜtޗsxt42��ӂ(�oV��(f~\:pGʤEs�ㅭmfW]M�g[f�1ryÉfeo��|z}
�~2]9PI9)~=Ң(�r_�ZD Np5V{QI)*D���Uj, h�`�#[#60�NùĢ7sf�mef7cր!{� Rb���ƛ;
a!3̐"�+Q9�m&ö3�$�9g20G �8T8x�l|n�wkLRx66�y��)�h4Rgl9�lv8H�W
-��6N��
6��V8U�¿�+[QVD3|{�rx�-;=[�/1g*o)#__KU�M�nc�b
|kI%�%���?�?DӞ
�\�N��^-nʸ��E'͖�hOM>_��2�6,�eM�OJmH'�x�.,}0�?WV/x��]<ᘰa��_xw(N�Ū4�' �.�ݯ4D���k�AHI-KQsj�E�3
���~u{r3~ipiBrd"z�#� d!V�=pn��l+[XCH}��5K�N"8˕B�[�.#�IIn�}p;_눇^h_�L0�eMX�k��}ۃ;F-pMe".ãbz1PLiG0d(N�,����Cf�X(?\r�P6J�ƘNx �`Bh?AW6Ag YFuL 9wYm!2#ҚP�iu���6p׆�.S�iC0*aYf*j9ϭ֩zZ��y�n�ܴg�GqJmH�Ne��+K�埇]q*#v�/.��{�
̒@��f=)�
Bl�17fy�6r��Ɏ5<37ŒI�.㱁̣|H>C'k�芡 4ۓ(eb6L�S΅�cs�Y' BaY}H/{ja�'�ybv�o}Pj⋫ٵJ��D|W(U -F -'2~|2Pd�
rH�p3Eh�x䫏҅R�K;G� }G.ꋓOt.���H\}�[I�g~�ԗ��I�r
%@ �J�x<8H\I�o�!OAB /=J[-X6�`{ҕٵO"v����t5hR*RIIh=.ҵq�!#"d�@��ExEOSܑ��mɰRdXj:�9ty�P��;`}����%uD$̟)�*JF�t B$n��t� βs~�4
,ԟkK�)&'� �= 9��LԻ�m�P�D
&@4 `XOԛS�RbZI!Z��&͌9|L<9K�dz� &�F=�Yff>7=�%\Q ��l).,
{<`|.--M݈n7Vv�(nK��KRWjҙIi0wO�˦(@{�ZUB
DP�t��<�ox��㠾+/PY" J?~?Z�` N0+]ӥr|t$�_C-UeSu-�Q�l�%'�SXZ^Pi7 0YqRZ-K��Y�@�-�n$�-~"Y��-^^�g!^�M%%a_xԡᡏy,L-X:]K+>q
Ǣ484 �� 4\%���!AL�$�awL{q8�^�XjT
9uf`�0'-0�'x7qz .�vFTuHT)�#Ҏ7Hِ�EI�Hx� Dh@�)~q.�g!nI/Ĩ@:`1��}]�w)�}qo�G��&�^q-�#�š�m�۹17>�[1D=�A'%�_q/i�6a��Z/�#){�wB&
Fdݮ�^QN�c}j[N{7��S1OMj�F!�m5#�
Av�aP<]\|� yqw|aKx17p+H^5q��-ۃeo4(6oMJj9ŵ!h~�]j�8D�I��D �"&p(WAW\<�Cg�C�æ{{{{{COp�fyGG1O�sU9�O:y�QWٓe�[�1%
جO�a0#o*y}Heژ!���[b1��zK]F|=
7X�|$�yѰ&���x|&�lƣ�H%_�q(?�ƗvlGrpN�^L�v8gD\���>贅a:_|$�m�]߶i^bd`Ou,�nr-ń#-\∷p*xy�᥎V�i�2�^�qd!�Q^�k>�yqǀDnD)4�s�73/0�q�,wiOeHa@1�D6$6u1F((���e~*/A [a!D6oSK���Ě]$���h!Fvgُ{�Kb+.�K6u;F$Qh+kj55��V^�S!aJ|F��-?��x��H�^X0�W`�D]dbɠ�
�
$ovܙf�=H��PPXL~59]n>f/�\��9[�>V5�V]I5H%wA�>pw2z��Z|KB?{t
�h�:�M�xu
oa�\ �{300W|e.81��qw5�Ņ
Y0�JW@7��}�H['ɍ���䏖+623!�j�l�o�
�uRo]Z����9o];uG��@F.@ym"����y;rg
��@���;է6g�|tH ]XW 3�Yyq(Kғ>O�C�{��&WS8-l�� \Z��Q4coZy?W1I&}B~b�#:�-
lZ
+��):れF Є��GC]g~q79m1�45@!<���\A�cs\vo�w6"a�c�[���N�w�?���jx8kr@>�Zj��
�!�1�gKi6%_q�%ԣ�Ǭ)vqU�@��y+��DL�݂zĂ�![C1P?R&js# a/x a 3��lx�Lla`t��.t�2,�G͏�we~lD
<��23}�k3}-�AGr.w ��Hs�PcA~6mݜ�(�8�&��J9 t!��/H�zNsj~cBxtnt
OMݓY�KaP8�\
��+z*J9W��&u%O<�weX
z(9ܗ�z�//�͒5{�8~ROcr%)2yeV0`A-#�2fg44\�K-M]; �f�:j�,LqqLN{AN/[-ҿ:\/�99nuzxj Zӷ`Kdsk~>]|>m..LtA�calm26^�
=_ģ,� rz趘83b�91«XuRU8N�^/��M83'a~�t��E_CT�İҫca�ؼW?z
�eWӱ�r
ڃϏxu3�_99q�Σ�}1�Z�[LԶAk2GM&��!>:�靷2o�u�� NJG(R+R~ 嗛O�@�Rʑ�˛f+�O6�~NS�!�jsY;S?ko.o73v3�N�g)vJ?3Pysy�wRwS�歷�i��v�?�taݔw>)�'y?A3(?K)�#�ݔr=�9OsA{)ȟ�ȗ^|�H�x"K�))��
Ro/(+��a|R )�P~V�{BuJ@)�ug�\8=b���3�z)@^_�~J+%iJy�SY)�)�+z/^KHs)3e%_?KQ�}qk�R+��]a%5Lk�[N�R}W��c|u(X2M"/!#(yE#��B�h��toD.�~EY>�s$�&}:=Wv l+Jx.)ܲ�}:aO+XE 9K8GX%Üf1',�} %/ܻ�Gz̉nR!��/T��4f
SlAp��nC�7�=z�n�}Oq�L�?7�G.�pyk;ُkw�յq@5Af_b
9i'8+?�=�4;t)��fi3a
��6ýEi���78k�݇h7O{r�n~m�3{5CZ�ڋY->Yڃ_S̯yl�˪)�N(P7EjnRh�s9ʼn*螁ב >fp�Oh{A7a#1-��Hj$3_RAU�J�~+r\�'\"at�cFJj�Eq0j)W-���E�QP�%��h�[i��ohc�y�Vi8a�n[�C DK(��x�.xmD{�_tmRf@��X<�'M~
mG55~�ɱL(�1�k�EF(�d#BgD]@%8>7Y�5�ճymb
]u]ݍ:��z'/Հ`�;4=�c��Ϥ.$�r���b��|(�pމi/�12ψ�y&$5l }_��L='��̄�Qp{t=K*>7k��%$Id�`Q���c?94Ǟ�>x*(��]�v5$$�}9= �zL�ߞbsQH頲�;ع�86 a,�ł�� #,xHTP}Hf@-::6Zd�;B�A�k�_6�|d |A\��B>�r43n=G�kg_7 B3q<��Y�8[�T"&3ǜ�z1LJ1@Bo�)b%&�Tum�Tj��.�X&"=�>m��='.}F5˟J'�"@2xԴ5[�Pŗ�;5��
m'#8���>�lQ����qml�.�;�+C��G1ΪT��*>`H6A1Z<�;z>�wKu!AY�>_�v{[=/R`C[їa��҇f�
Z_�X��(K#�LAN�8utvKѺ
V�7"�!a�Nn0n-/D�&@��b��s=֏**uf�利o6��v�QmQo#+N�41Ȟg|N5u
|ڕa=v����s�bcΜ�7�U ���=[?�܋;}c\m��81V`w^?�-lq12�#,�$(zIW�{{A0��&iEȣd`C�v�_̈~ph;�ciL ��;acXJ�XF!Ƨۅ�;�'T�S*Y[PE"�1ԟc:(fG z�|k|�XK�z:BMhcy0ѕD1F(-f,1s,@\�փ
LW{څG��Q�Y6;|���,�݈bV��"Nd2q)�9=O�*��}�&bGԌaBa�r���iL$�g�8%�3^��l�,/�A,DT��/D4;NB}aEo�tiO�<'\B��W����bMd�?i\5��,w>N�v!�$khv�V�;~v��?;m� a�
ѰT\��_��kOze��F��T�(Z�NJ`�b)XF>� S_%ȕ/��2fÿ�oU�AޜFMQKj9�N"�i~ۊX�#iQf�rYOB%ե{l'�@�Of6%c(\ɜK�RSk85XV
Rm&
Cfaf;6�6BJ:6L]_�Y�
P�6W)-��
|
Network Security & Hardware 
