Security researchers recently found a Trojan that uses Facebook to communicate with its command and control server. The Trojan malware is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” writes Andrea Lelli, a security analyst with Symantec Security Response. The malware works by contacting the mobile version of Facebook and using its Notes section.
Clues in the title
By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found. If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.
“The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere,” Lelli blogged. “However … one could use a Facebook account as a C&C [command and control] server and this Trojan is able to successfully parse the Facebook html data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same [way] as it sends a timedate stamp).”
The flipside
Social networks have been used to help control malware in the past. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.
About Mailprotector
Mailprotector’s services prevent Trojans, viruses, spam, phishing attacks and other email borne malware from getting to your inbox and spreading havoc throughout your email infrastructure.
Related posts:
