While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.
Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.
Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind this URL, then the sample was reconnecting to that new URL –essentially using the picture as a redirect service. Not so cute afterall. This allows the creators of Graybird to post innocent lookingimages on any image hosting site, enabling Graybird to be redirected tothe correct control server. After further analysis, it was seen thatalmost every sample we received points to a different image / page.However, many different images redirect to the same control server.This allows every sample to be both unique and to connect to apreviously unkown URL. (Therefore, blocking by URL or getting thepicture taken down is futile.)
This is not a new idea, but I have not seen it used in this contextbefore. For example, there is a popular proxy service that stores URLsin a similar fashion. It hosts pages that list URLs to proxy servers.These pages also contain specific keywords, which when searched for inyour favourite search engine, will return pages containing the proxyURLs. The authors of Graybird seem to be using a similar approach forstoring the URLs of their control servers.