09 November 2009 | 8,029 views

Facebook Used By Whitewell Trojan To Communicate

Acunetix Web Application Security

Facebook has had it’s fair share of security woes and the latest is the discovery of a new Trojan that uses Facebook to communicate.

Interesting that it’s using the Facebook notes feature to communicate depending on title/subject of the note.

The actual malware itself is spread through doc/pdf exploits and not through any flaws in Facebook itself.

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

The malware can actually parse the data in Facebook, and post new notes itself meaning it is self-propagating according to whatever logic is programmed inside.

The ability of the trojan to do anything damaging is somewhat limited but it does show what could be achieved by using a social networking site as a command and control channel.

I’d imagine this won’t be the last we see and this could evolve into something much nastier.

If the note has the title ‘White’, it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

“Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as ‘Competitive assessment.pdf .exe,’” Lelli wrote.

As with most attacks of this kind, the actual infection comes from lack of user knowledge and social engineering (double file extensions) as Windows STILL insists on hiding known file extensions from the user.

People have been falling for the old double-extension forever, I don’t see why Windows can’t just show extensions by default – do they scare people that much they have to be hidden?

Source: eWeek





                

Recent in Malware:
- Target CIO Beth Jacob Resigns After Huge Breach
- Azazel – Userland Anti-debugging & Anti-detection Rootkit
- The Mask AKA Careto Espionage Malware

Related Posts:
- Yes – We Now Have A Facebook Page – So Please Like It!
- Multilingual Worm Spreads Over MSN Messenger
- FBController – The Ultimate Utility to Control Facebook Accounts

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,268 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,402 views
- US considers banning DRM rootkits – Sony BMG - 44,914 views

Low-cost VPS Hosting

One Response to “Facebook Used By Whitewell Trojan To Communicate”

  1. Morgan Storey 9 November 2009 at 9:54 pm Permalink

    it is only a matter of time before they use even more subvert ways, steganography in a legitimate posted photo would be the ultimate.