RSA: Banking trojan uses social network as command and control server

RSA: Banking trojan uses social network as command and control server

Summary: RSA's FraudAction Research Lab is reporting that a crimeware targeting Brazilian banks, is using a popular social network as a command and control server. This isn't the first time that cybercriminals experiment with managed cloud platforms, or abuse of social networks for command and control purposes, and definitely not the last.

SHARE:

RSA's FraudAction Research Lab is reporting that a crimeware targeting Brazilian banks, is using a popular social network as a command and control server.

According to the company, which acted promptly and took down the profile in question, cybercriminals continue to actively experiment with alternative C&C (command and control channels) using legitimate infrastructure.

More details:

  • The cybercriminal behind the crimeware set up a bogus profile under the name of “Ana Maria”, and entered the crimeware’s encrypted configuration settings as text uploaded to the profile.
  • After infecting a user’s machine, and installing itself on it, the malware searched the profile for the string EIOWJE (underlined in the above screenshot). The string signified the starting point of the malware’s configuration instructions.
  • All the encrypted commands following the EIOWJE string were decrypted by the malware and executed on the infected computer.

This isn't the first time that cybercriminals experiment with managed cloud platforms, or abuse of social networks for command and control purposes, and definitely not the last. Here are some example of known cases where legitimate infrastructure/social networks were used as C&Cs:

The same mentality was also applied in the “Shadows in the Cloud” cyber espionage campaign, where the malicious attackers once again relied on legitimate infrastructure for command and control purposes:

The attackers also used Yahoo! Mail accounts as a command and control component in order to send new malicious binaries to compromised computers. In total, we found three Twitter accounts, five Yahoo! Mail accounts, twelve Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on blog.com that we being used as part of the attacker’s infrastructure.

Are social networks a heaven for cybercriminals and their botnets? Basically, they are. Social networks offer two of the most important things, a cybercriminal is seeking - potential for scalability where even the shortest time frame for a particular campaign would result in hundreds of thousands of clicks, and the trust factor established by social networks.

Compared to cybercrime-friendly ISPs, which remain the dominant hosting solution for cybercriminals, once detected, they are fairly easy to blacklist, even though some will remain online. However, this process gets undermined by the use of trusted social networks, and the main problem is that cybercriminals are perfectly aware of this fact.

Throughout the last couple of years, they started realizing that it's not just the clean network reputation that matters in a social networking environment, but the trusted reputation of the user at any particular social network. For instance, one of the most successful social networking malware, the Koobface botnet which gets the majority of its traffic from Facebook, doesn't rely on bogus user accounts to propagate. Instead, it hijacks the trusted reputation of everyone's friends on a large scale.

RSA's assessment concludes that malware using social networks is currently "the exception rather than the rule". What do you think? Is this the case, or are cybercriminals thinking "the best is yet to come" in the long term? What if today's fake account of Ana Maria, becomes tomorrow's legitimate account of Ana Maria, issuing commands to crimeware-infected hosts in a seemingly innocent fashion from a linguistic perspective?

Talkback.

Topics: Networking, Malware, Security, Servers, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • After infecting a user?s machine, and installing itself on it

    This is the standard of vague reporting we're getting used to around here.
    trm1945
  • RE: RSA: Banking trojan uses social network as command and control server

    Which "social network" has the ana maria account?
    atwood1
    • RE: RSA: Banking trojan uses social network as command and control server

      The source article says Twitter.
      Andylb
    • RE: RSA: Banking trojan uses social network as command and control server

      @atwood@... Social net used was 'Orkut' the Brazilian version of Facebook.
      pflynn4685
      • Not exactly

        @pflynn4685@... Orkut is not the Brazilian version of Facebook. It was an early Google experiment with social networks (actually, by an employee in his free time) that caught like fire in Brazil and a few other countries like India and (until banned and blocked) Iran, where it is far more popular than Facebook or any other social network. The overwhelming prevalence of messages in Portuguese (and also Hindi, Farsi etc.) scared away people from other countries and Brazilians are by far the largest user base, with over 20 million accounts. However, in principle Orkut remains an international network open to anyone and with its interface available in a lot of languages. There are similarities with Facebook, but also many differences - although there are groups, Orkut works much more on a person-to-person basis, as opposed to Facebook's more "broadcast" postings.
        goyta
  • Could be Orkut

    Orkut is owned by google and is used heavily in Brasil.
    bill9571
    • It is Orkut

      @bill957@... it *is* Orkut, no doubt. I am no longer there, but I recognize the interface. Besides, given Orkut's overwhelming popularity in Brazil over any other social network (over 10 times Facebook's Brazilian user base), if the Trojan targets Brazilian bank accounts, it would be stupid to use any other social network.
      goyta
  • Follow the LCD numbers

    [i]Are social networks a heaven for cybercriminals and their botnets?[/i]

    Where will you ever find a bigger collection of hapless dummies just begging to be pwnd? There's your answer.
    klumper
    • RE: RSA: Banking trojan uses social network as command and control server

      @klumper
      hapless dummies have every right to use social and e-commerce networks, and of course they aren't begging to be frauded, their naivite is no blame. the real responsibility is those owners and operators of social networks to prevent malicious methods of attack and when they find IT security vulnerabilities that have been exploited, they should prevent them from happening again. this case shows the importance of using a semantic-web lexicon to connect words in textarea objects of a public network to verify that they are not putting unintelligbles for injection.. see RDF (resource description framework) or some kind of middle-ware check on hexidecimals (that passthrough HTMLspecialchars) and/or the lack of whitespace. less and less criminals will use social networks as long as the intelligence of their owners remains better than the criminals themselves. the best code wins, or will win eventually :)
      emmanuelusa
  • RE: RSA: Banking trojan uses social network as command and control server

    Several major banks use a rootkit to install their "security program" in users systems. It is installed by several banks when they start online banking. There is no easy to uninstall the software. When a tecnician uses Autoruns by Microsoft, it is readily apparant the client is using banking software. If you do want to uninstall the software, you will not get any help from the banking comunity and they will not even admit any knowledge of the software as it comes from a third party. Ask the client... Oh, you are NOT using this software? The client does not have a bank account at Caixa or Banco do Brasil, etc? You just discovered the trojan.
    howard.computerdoctor
  • RE: RSA: Banking trojan uses social network as command and control server

    There was also a great article in FINEXTRA recently about how a security services company, used social networks to penetrate a US bank ( http://www.finextra.com/news/fullstory.aspx?newsitemid=21342 ). However, inbound malware is what we've seen as the biggest risk in our fifth annual survey (high level results here: http://info.facetime.com/Survey10Request.html)
    scarter2
  • RE: RSA: Banking trojan uses social network as command and control server

    emmanuelusa - yes. I'm so tired of ppl blaming the victim when a computer gets infected. It's like blaming the victim woman after a rape. The gub'mnt needs to be more agressive after these perputrators. The Alureon virus is especially nasty.
    FeedScrn
  • RE: RSA: Banking trojan uses social network as command and control server

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    yarinsiz