RSS Alerts

Share

More services

Related Links

  • Symantec
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Facebook users hit by major bot-based attack
    Facebook has again hit the security headlines following a bot-based attack that has reportedly been rising in intensity since the start of the week.
  • Twitter worm steals user details
    A worm on Twitter is tricking users into giving up their user details at the same time as redirecting victims to a dating website where the aggregate number of views result in affiliate revenue.
  • Trend Micro moves IT security onto routers
    Trend Micro, which claims to be the 'number three' IT security software vendor worldwide, has unveiled a new family of applications designed to run on networking routers, rather than computers.
  • Downadup worm hits million-plus PCs in 24 hours
    Finnish IT security vendor F-Secure reports that a worm that exploits a months-old Windows flaw has infected more than 1.1 million PCs in space of 24 hours.
  • Symantec researcher spots C&C botnet toolkit in the wild
    Security researchers from Symantec claim to have spotted a new crimeware toolkit being sold in the underground marketplace. The toolkit – known as Dream Loader – generates a trojan that is exclusively used to distribute malware.

Top 5 Stories

News

Symantec uncovers new type of Facebook trojan

03 November 2009

IT security vendor Symantec has uncovered a trojan that uses the Facebook social networking portal to communicate with a command and control (C&C) server

A command and controlserver is used by a botnet - a cluster of malware infected PCs which communicate across the internet - as a means of controlling the botnet swarm. Communications are usually relayed between the infected PCs and the server through the use of internet relay chat channels.

The Facebook-enabled trojan is called Whitewell and is being spread via email using infected documents (PDF or MS-Office format) that contain exploits for known vulnerabilities.

According to to Andrea Lelli, a security analyst with the Symantec Security Response operation, the trojan functions works by contacting the mobile version of Facebook and using its Notes section.

In the analyst's blog, he said that, by analysing the trojan's code, Symantec's researchers have concluded that the malware appears to perform four different actions, depending on the notes' titles that are found.

"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere", said Lelli in his blog.

"However... one could (also) use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it."

Infosecurity notes that, whilst this is not the first time a social networking site has been used to assist in the control of malware and a botnet - a Twitter botnet, for example, was spotted back in August - it is the first time that a trojan infection has been structured to allow Facebook itself to act as a command and control server.

According to Lelli's blog, the trojan is using a Facebook account to receive URLs to contact, "and it may post some timedate stamps back to the account, but nothing more than that".

"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere.

"However, this sample shows that one could use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same was as it sends a timedate stamp).

"I want to stress the fact that the trojan does not use exploits or flaws of any kind, it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous, or faulty.

"This particular trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server."

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012