While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.
Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.
Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the sample was reconnecting to that new URL – essentially using the picture as a redirect service. Not so cute after all. This allows the creators of Graybird to post innocent looking images on any image hosting site, enabling Graybird to be redirected to the correct control server. After further analysis, it was seen that almost every sample we received points to a different image / page. However, many different images redirect to the same control server. This allows every sample to be both unique and to connect to a previously unkown URL. (Therefore, blocking by URL or getting the picture taken down is futile.)
This is not a new idea, but I have not seen it used in this context before. For example, there is a popular proxy service that stores URLs in a similar fashion. It hosts pages that list URLs to proxy servers. These pages also contain specific keywords, which when searched for in your favourite search engine, will return pages containing the proxy URLs. The authors of Graybird seem to be using a similar approach for storing the URLs of their control servers.