Report: Malware Purveyors Using Social Nets For Command And Control

Banking Trojan is among the first to be controlled through public social network, RSA says

Dark Reading Staff, Dark Reading

July 22, 2010

2 Min Read

When malware distributors build a single point of control for delivering their payloads, they have traditionally located it on a rogue ISP or some other underground network. But according to researchers at RSA, there could now be a new location for command and control: social networks.

According to a blog posted earlier this week by the RSA FraudAction Research Lab, cybercriminals have recently been spotted distributing the "Brazilian Banker" Trojan using a method that stores encrypted malware in the text of a user profile, such as those used on Facebook.

"[This] method allows the cybercriminal to issue encrypted commands without renting a dedicated, bulletproof server or registering a domain for the malware's communication points," the researchers say. The hosting method could be used on "almost any social networking or Web 2.0 platform that enables the almost unrestricted posting of comments, creation of public profiles, and the setup of newsgroups."

In the case of Brazilian Banker, the cybercriminals set up a bogus profile under the name of "Ana Maria" and entered the crimeware's encrypted configuration settings as text uploaded to the profile. After infecting a user's machine and installing itself on it, the malware searched the profile for a specific string of letters. The string signified the starting point of the malware's configuration instructions.

Once the string was recognized, all of the encrypted commands following the string were decrypted by the malware and executed on the infected computer, according to RSA.

In another case, a bot herder used Twitter's RSS feed option, the researchers say. "By logging into a designated email account, the Trojan periodically checks for new instructions specified in status updates sent via Twitter's RSS feed," the blog says. "Each new command appears as a status update, and contains new instructions for the Trojan to execute."

There are several reasons why a cybercriminal might want to use a social network for command and control, according to RSA. First, it eliminates the need to buy and maintain a domain name for their command and control point. Second, it eliminates the need to pay for or maintain a dedicated, bulletproof server.

"As soon as one public profile or account is removed by these services, a new profile or account can be easily set up, free of charge," RSA observes.

"Despite these advantages, banking Trojan attacks that host communication resources on public resources are still quite rare, and currently remain the exception rather than the rule," the researchers say. "Generally, after a threat is detected, and the appropriate support team is informed, the removal of these command and control points is simple and quick."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights