Facebook Used By Whitewell Trojan To Communicate

The New Acunetix V12 Engine


Facebook has had it’s fair share of security woes and the latest is the discovery of a new Trojan that uses Facebook to communicate.

Interesting that it’s using the Facebook notes feature to communicate depending on title/subject of the note.

The actual malware itself is spread through doc/pdf exploits and not through any flaws in Facebook itself.

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

The malware can actually parse the data in Facebook, and post new notes itself meaning it is self-propagating according to whatever logic is programmed inside.

The ability of the trojan to do anything damaging is somewhat limited but it does show what could be achieved by using a social networking site as a command and control channel.

I’d imagine this won’t be the last we see and this could evolve into something much nastier.

If the note has the title ‘White’, it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

“Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as ‘Competitive assessment.pdf .exe,'” Lelli wrote.

As with most attacks of this kind, the actual infection comes from lack of user knowledge and social engineering (double file extensions) as Windows STILL insists on hiding known file extensions from the user.

People have been falling for the old double-extension forever, I don’t see why Windows can’t just show extensions by default – do they scare people that much they have to be hidden?

Source: eWeek

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


One Response to Facebook Used By Whitewell Trojan To Communicate

  1. Morgan Storey November 9, 2009 at 9:54 pm #

    it is only a matter of time before they use even more subvert ways, steganography in a legitimate posted photo would be the ultimate.