Facebook Used By Whitewell Trojan To Communicate

Use Netsparker


Facebook has had it’s fair share of security woes and the latest is the discovery of a new Trojan that uses Facebook to communicate.

Interesting that it’s using the Facebook notes feature to communicate depending on title/subject of the note.

The actual malware itself is spread through doc/pdf exploits and not through any flaws in Facebook itself.

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

The malware can actually parse the data in Facebook, and post new notes itself meaning it is self-propagating according to whatever logic is programmed inside.

The ability of the trojan to do anything damaging is somewhat limited but it does show what could be achieved by using a social networking site as a command and control channel.

I’d imagine this won’t be the last we see and this could evolve into something much nastier.

If the note has the title ‘White’, it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

“Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as ‘Competitive assessment.pdf .exe,'” Lelli wrote.

As with most attacks of this kind, the actual infection comes from lack of user knowledge and social engineering (double file extensions) as Windows STILL insists on hiding known file extensions from the user.

People have been falling for the old double-extension forever, I don’t see why Windows can’t just show extensions by default – do they scare people that much they have to be hidden?

Source: eWeek

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


One Response to Facebook Used By Whitewell Trojan To Communicate

  1. Morgan Storey November 9, 2009 at 9:54 pm #

    it is only a matter of time before they use even more subvert ways, steganography in a legitimate posted photo would be the ultimate.