Trojans Get Agile with Web 2.0 Tricks
Malware that researchers have dubbed "Trojan 2.0" is using RSS feeds to communicate.Security researchers have spotted Trojans that are using RSS feeds to communicate instead of their traditional method of "phoning home" to get marching orders from command-and-control centers that security researchers have learned to track down and blacklist. Yuval Ben-Itzhak, chief technology officer for Finjan, told eWEEK that the security firm recently detected three separate Trojans using blogs of limited popularity to receive orders from botnet herders or to feed stolen information back to identity thieves. The lure of using legitimate sites such as blogs or social networking sites is that attackers can hide behind the legitimacy of Web 2.0 brands such as Google or Yahoo, Ben-Itzhak said.
"[An attacker] can use legitimate sites, sites no one will block, as a shield, so no one will identify where his [command-and-control] servers are and where he's located, and [the attacker] can use [Web 2.0 sites] as an intermediator between Trojans and the IP address where he's collecting data," he said.
- 1. The user's PC is infected with a Trojan 2.0 using known infection methods, such as iFrame or code obfuscation.
2. Attacker uses a private Command & Control server to relay commands to the Trojan infected PCs. For instance, collect passwords from user PC, collect financial reports or track online banking activities.
3. Command and Control 2.0 formats the data for the Trojan-infected PCs into a legitimate post to a public blog server.
4. Independently, a Web-based RSS aggregator service (such as Google Mash-up editor or Yahoo Pipes) notices the new post on the blog it's supposed to monitor, and updates itself.
Click here to read more about a Trojan that was spread through the MSN messenger.
5. Trojan-infected PCs are configured to grab the headlines of the public RSS feed generated by the aggregator, as customized by the attacker. Once the Trojans "see" the new post through the RSS aggregator, they parse the data in it, and execute according to the commands originally sent by the attacker.
6. The collected data is then posted back on Web 2.0 sites (for example, a blog service, MySpace.com or Googlepages) as a legitimate content. The Web 2.0 site is acting as temporary storage for the stolen user data until collected by the criminal and deleted.