Trojans Get Agile with Web 2.0 Tricks

Malware that researchers have dubbed "Trojan 2.0" is using RSS feeds to communicate.

Security researchers have spotted Trojans that are using RSS feeds to communicate instead of their traditional method of "phoning home" to get marching orders from command-and-control centers that security researchers have learned to track down and blacklist.

Yuval Ben-Itzhak, chief technology officer for Finjan, told eWEEK that the security firm recently detected three separate Trojans using blogs of limited popularity to receive orders from botnet herders or to feed stolen information back to identity thieves.

The lure of using legitimate sites such as blogs or social networking sites is that attackers can hide behind the legitimacy of Web 2.0 brands such as Google or Yahoo, Ben-Itzhak said.

"[An attacker] can use legitimate sites, sites no one will block, as a shield, so no one will identify where his [command-and-control] servers are and where he's located, and [the attacker] can use [Web 2.0 sites] as an intermediator between Trojans and the IP address where he's collecting data," he said.

This new type of Trojan—Trojan 2.0, as Finjan is calling it—is in an embryonic stage now, as Finjan has only spotted it in use at blogs of limited visibility. (Ben-Itzhak declined to name the blogs where the new Trojans are operating, lest Finjan give the false impression that blogs or social networking sites are somehow to blame.)

But even though Trojan 2.0 is just beginning to sprout up, Finjan is predicting that it's poised to be the standard Trojan blueprint for 2008, given the scalability, redundancy and brand-name camouflage free Web-based services provide.

Finjan describes the concept in its latest quarterly Web Security Trends Report—Q4 2007 (available here,) released on Dec. 10.


This is how Finjan describes the workflow for Trojan 2.0:

1. The user's PC is infected with a Trojan 2.0 using known infection methods, such as iFrame or code obfuscation.2. Attacker uses a private Command & Control server to relay commands to the Trojan infected PCs. For instance, collect passwords from user PC, collect financial reports or track online banking activities.3. Command and Control 2.0 formats the data for the Trojan-infected PCs into a legitimate post to a public blog server.4. Independently, a Web-based RSS aggregator service (such as Google Mash-up editor or Yahoo Pipes) notices the new post on the blog it's supposed to monitor, and updates itself. <img src="/imagesvr_ez/b2bezp/2016/05/28571.gif?alias=original" alt="28571.gif" /> Click here to read more about a Trojan that was spread through the MSN messenger.5. Trojan-infected PCs are configured to grab the headlines of the public RSS feed generated by the aggregator, as customized by the attacker. Once the Trojans "see" the new post through the RSS aggregator, they parse the data in it, and execute according to the commands originally sent by the attacker.6. The collected data is then posted back on Web 2.0 sites (for example, a blog service, or Googlepages) as a legitimate content. The Web 2.0 site is acting as temporary storage for the stolen user data until collected by the criminal and deleted.

If Finjan's predictions for the rise of Trojan 2.0 come true in coming months, the malware's evolution will parallel that of "badvertising"—i.e., malicious code served up by well-known advertising providers. Back in early 2007, when Finjan documented the early days of badvertising in its first quarter report, attackers were taking advantage of less well known ad providers.

By November, badvertising had gotten far more ambitious, as security researchers tracked malware that had found its way onto ads served by DoubleClick and which appeared on legitimate sites including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.