Report: Malware Purveyors Using Social Nets For Command And ControlReport: Malware Purveyors Using Social Nets For Command And Control
Banking Trojan is among the first to be controlled through public social network, RSA says
July 22, 2010
When malware distributors build a single point of control for delivering their payloads, they have traditionally located it on a rogue ISP or some other underground network. But according to researchers at RSA, there could now be a new location for command and control: social networks.
According to a blog posted earlier this week by the RSA FraudAction Research Lab, cybercriminals have recently been spotted distributing the "Brazilian Banker" Trojan using a method that stores encrypted malware in the text of a user profile, such as those used on Facebook.
"[This] method allows the cybercriminal to issue encrypted commands without renting a dedicated, bulletproof server or registering a domain for the malware's communication points," the researchers say. The hosting method could be used on "almost any social networking or Web 2.0 platform that enables the almost unrestricted posting of comments, creation of public profiles, and the setup of newsgroups."
In the case of Brazilian Banker, the cybercriminals set up a bogus profile under the name of "Ana Maria" and entered the crimeware's encrypted configuration settings as text uploaded to the profile. After infecting a user's machine and installing itself on it, the malware searched the profile for a specific string of letters. The string signified the starting point of the malware's configuration instructions.
Once the string was recognized, all of the encrypted commands following the string were decrypted by the malware and executed on the infected computer, according to RSA.
In another case, a bot herder used Twitter's RSS feed option, the researchers say. "By logging into a designated email account, the Trojan periodically checks for new instructions specified in status updates sent via Twitter's RSS feed," the blog says. "Each new command appears as a status update, and contains new instructions for the Trojan to execute."
There are several reasons why a cybercriminal might want to use a social network for command and control, according to RSA. First, it eliminates the need to buy and maintain a domain name for their command and control point. Second, it eliminates the need to pay for or maintain a dedicated, bulletproof server.
"As soon as one public profile or account is removed by these services, a new profile or account can be easily set up, free of charge," RSA observes.
"Despite these advantages, banking Trojan attacks that host communication resources on public resources are still quite rare, and currently remain the exception rather than the rule," the researchers say. "Generally, after a threat is detected, and the appropriate support team is informed, the removal of these command and control points is simple and quick."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
AI in Cybersecurity: Using artificial intelligence to mitigate emerging security risks
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report