Security researchers have spotted Trojans that are using RSS feeds to communicate instead of their traditional method of “phoning home” to get marching orders from command-and-control centers that security researchers have learned to track down and blacklist.
Yuval Ben-Itzhak, chief technology officer for Finjan, told eWEEK that the security firm recently detected three separate Trojans using blogs of limited popularity to receive orders from botnet herders or to feed stolen information back to identity thieves.
The lure of using legitimate sites such as blogs or social networking sites is that attackers can hide behind the legitimacy of Web 2.0 brands such as Google or Yahoo, Ben-Itzhak said.
“[An attacker] can use legitimate sites, sites no one will block, as a shield, so no one will identify where his [command-and-control] servers are and where he’s located, and [the attacker] can use [Web 2.0 sites] as an intermediator between Trojans and the IP address where he’s collecting data,” he said.
This new type of Trojan—Trojan 2.0, as Finjan is calling it—is in an embryonic stage now, as Finjan has only spotted it in use at blogs of limited visibility. (Ben-Itzhak declined to name the blogs where the new Trojans are operating, lest Finjan give the false impression that blogs or social networking sites are somehow to blame.)
But even though Trojan 2.0 is just beginning to sprout up, Finjan is predicting that it’s poised to be the standard Trojan blueprint for 2008, given the scalability, redundancy and brand-name camouflage free Web-based services provide.
Finjan describes the concept in its latest quarterly Web Security Trends Report—Q4 2007 (available here,) released on Dec. 10.
This is how Finjan describes the workflow for Trojan 2.0:
If Finjan’s predictions for the rise of Trojan 2.0 come true in coming months, the malware’s evolution will parallel that of “badvertising”—i.e., malicious code served up by well-known advertising providers. Back in early 2007, when Finjan documented the early days of badvertising in its first quarter report, attackers were taking advantage of less well known ad providers.
By November, badvertising had gotten far more ambitious, as security researchers tracked malware that had found its way onto ads served by DoubleClick and which appeared on legitimate sites including CNN, The Economist, The Huffington Post and the official site of the Philadelphia Phillies.
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.