Symantec Uncovers Trojan Scheme Using Facebook

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

Researchers at Symantec have uncovered a Trojan using Facebook as a coordinator for its command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through "documents (PDF, or MS Office formats) containing exploits for known vulnerabilities," Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan's code, Lelli found that the Trojan will perform four different actions, depending on the notes' titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

Small botnets are causing big security problems for enterprises. Click here to read more.

"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere," Lelli blogged. "However ... one could use a Facebook account as a C&C [command and control] server and this Trojan is able to successfully parse the Facebook html data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same [way] as it sends a timedate stamp)."

To read about how Facebook password spam concealed a malware attack, click here.

If the note has the title 'White', it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

"Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as 'Competitive assessment.pdf .exe,'" Lelli wrote.

"I want to stress the fact that the Trojan does not use exploits or flaws of any kind; it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty," Lelli added. "This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server."

Gerry Egan, director of Symantec Security Response, said the company has not observed a significant number of infections and believes the Trojan to be part of a limited, targeted attack.

Editor's Note: This story was updated to add additional commentary from Symantec.