Whitewell Exploits Facebook to Contact C&C Server

IT security firm Symantec has detected a Trojan that uses social networking site Facebook for communicating with a command and control (C&C) server.

A C&C server is used by a botnet (a cluster of malware-infected PCs that communicate via Internet) as a means of managing the swarm of botnet.

The Trojan, called Whitewell, is spreading via e-mails using infected documents (MS-Office format or PDF) which embrace exploits for known vulnerabilities. These e-mails purport to be coming from courier companies or other similar firms.

It is noteworthy that Whitewell works by contacting Facebook's mobile version and using its Notes section.

In the analyst blog, Security Analyst at Symantec Security Response Operation, Andrea Lelli stated that the recently spotted Trojan is using Facebook account to receive URLs to communicate and may post some time date stamps back to the account, reported Info Security on November 3, 2009. The actual command and data processing is done via remote URL which was received from the notes, and that URL may point to any site, added the analyst.

Apart from this, researchers at Symantec have found that the Trojan seems to perform four different activities, based on the titles of the notes discovered.

This has evolved as a prevalent strategy for targeted assaults that have substituted mass mailing worms as the major malware threat to businesses worldwide. The unique attribute of Whitewell is its trial use of Facebook to receive instructions instead of conventional botnet control channels, like Internet Relay Chat (IRC). However, bulk of core functions, say uploading stolen information, is still conducted by means of a Web server, noted Symantec.

As such there are no vulnerabilities or exploits of any sort in Facebook, informed experts. In fact, this Trojan just logs onto a Facebook account so as to use it as a central node for receiving further commands.

Nevertheless, with security experts quick enough to detect and shut down such malicious activities, malware authors are always seeking innovative ways to control the network of infected PCs.

» SPAMfighter News - 11/17/2009