Symantec uncovers new type of Facebook trojan

A command and controlserver is used by a botnet - a cluster of malware infected PCs which communicate across the internet - as a means of controlling the botnet swarm. Communications are usually relayed between the infected PCs and the server through the use of internet relay chat channels.

The Facebook-enabled trojan is called Whitewell and is being spread via email using infected documents (PDF or MS-Office format) that contain exploits for known vulnerabilities.

According to to Andrea Lelli, a security analyst with the Symantec Security Response operation, the trojan functions works by contacting the mobile version of Facebook and using its Notes section.

In the analyst's blog, he said that, by analysing the trojan's code, Symantec's researchers have concluded that the malware appears to perform four different actions, depending on the notes' titles that are found.

"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere", said Lelli in his blog.

"However... one could (also) use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it."

Infosecurity notes that, whilst this is not the first time a social networking site has been used to assist in the control of malware and a botnet - a Twitter botnet, for example, was spotted back in August - it is the first time that a trojan infection has been structured to allow Facebook itself to act as a command and control server.

According to Lelli's blog, the trojan is using a Facebook account to receive URLs to contact, "and it may post some timedate stamps back to the account, but nothing more than that".

"The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere.

"However, this sample shows that one could use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same was as it sends a timedate stamp).

"I want to stress the fact that the trojan does not use exploits or flaws of any kind, it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous, or faulty.

"This particular trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server."

What’s Hot on Infosecurity Magazine?