RSA Blog

While malware updating via public resources is nothing new in itself, the RSA FraudAction Research Lab recently witnessed this hosting method being used to operate a banking Trojan; specifically a variant of the “Brazilian Banker” family of Trojans. In effect, any website that lets users upload virtually any type of content, and then publishes it in sequential form—without line breaks such as those denoted by the HTML tag <br> for a single-line break—can be exploited to store Trojans’ encrypted configurations. This includes almost any social networking or Web 2.0 platform that enables the almost unrestricted posting of comments, creation of public profiles and the setup of newsgroups.

A Brazilian Banker gets Social
Brazilian Banker is a financial Trojan that targets consumers of Brazilian-based banks and other banks in Latin America. The Lab recently traced a social network profile that contained encrypted instructions for a variant of the Brazilian banker Trojan (Figure 1).Shortly after our discovery of the Trojan’s configuration point, the offending content was handled and removed thanks to action taken by the social network’s support team. It is important to note that the social network was in no way at fault for being exploited in the manner described above. Any site that enables the posting of user-entered content is vulnerable to this type of exploitation, and is exploited precisely because of the freedom it affords its users.

Figure 1 : Social Profile serving Trojan’s Encrypted Configuration

Click to Enlarge

This is how it worked:

1. The cybercriminal behind the crimeware set up a bogus profile under the name of “Ana Maria”, and entered the crimeware’s encrypted configuration settings as text uploaded to the profile.
2. After infecting a user’s machine, and installing itself on it, the malware searched the profile for the string EIOWJE (underlined in the above screenshot). The string signified the starting point of the malware’s configuration instructions.
3. All the encrypted commands following the EIOWJE string were decrypted by the malware and executed on the infected computer.

The above method allows the cybercriminal to issue encrypted commands without renting a dedicated, bulletproof server or registering a domain for the malware’s communication points. Another example of a public resource being exploited as a command and control point belonging to a Trojan’s operation reportedly involves Twitter’s RSS feed option. The bot herder’s method of operation in this case is as follows:

1. A bogus Twitter account is set up by the cybercriminal.
2. By logging into a designated email account, the Trojan periodically checks for new instructions specified in status updates sent via Twitter’s RSS feed. Each new command appears as a status update, and contains new instructions for the Trojan to execute.

One cybercriminal even took this a step further, and created a Twitter-based botnet builder. Another case in point involves the exploitation of Google Groups: After installing itself on a victim’s computer, the Trojan logs into a Google Gmail account and requests a page from a specific, bogus newsgroup set up in advance by the cybercriminal for her Trojan operations. The Trojan executes the commands specified in the newsgroup’s latest page, and uploads its replies as posts to the same newsgroup.

Why ‘Go Public’?
Internet security companies have previously reported high profile Web 2.0 platforms, such as social networking sites and webmail providers, being exploited by Trojan operators to store their malware’s configuration file. Some advantages that can make this storage technique attractive are:

• Cybercriminals need not buy and maintain a domain name for their command & control point (aka update point).
• Cybercriminals need not pay for or maintain a dedicated, bulletproof server for their criminal activity.
• As soon as one public profile or account is removed by these services, a new profile or account can be easily set up, free of charge.
• From the cybercriminal’s point of view, the exploitation of a public resource may seem more difficult to detect. Detecting Trojan-related communication resources hosted on public websites becomes virtually impossible by scanning suspicious URLs alone. These kinds of resources require other detection methods to be deployed by security companies.

It is worth noting that despite these advantages, banking Trojan attacks that host communication resources on public resources are still quite rare, and currently remain the exception rather than the rule. Generally, after a threat is detected, and the appropriate support team is informed, the removal of these command and control points is simple and quick.