Trojan.Whitewell: What’s your (bot) Facebook Status Today?
Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.
The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually mimic legitimate names, such as well known courier companies; or they plagiarize topics regarding the latest news; or sometimes the documents simply resemble some business or corporate title such as “business assessment,” etc. Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking filenames such as “Competitive assessment.pdf .exe”.
The Trojan will contact the mobile version of Facebook (m.facebook.com), probably because it is a more lightweight version of the website and therefore easier to parse the HTML content. First, the Trojan tries to determine whether or not a connection is present, and then proceeds to log in to the main Facebook login page. I logged in to the Facebook account used by the Trojan, but there was not much to see. Only one note was present:
Image 1: This is the only note present in the Facebook account contacted by the Trojan
I also logged into the email account associated with the Facebook account; again, there wasn’t much there:
Image 2: The email account used to create the Facebook account
We can see that both the email and the Facebook account were created on the 16th of October. The first note, with the “Wells” title, was also added on the 16th. After this I went back to analyze the Trojan’s code to see what it does with the data found on the notes page. The Trojan will actually perform four different actions, depending on the notes’ titles that are found:
Note Title Action
Wells Send a timedate tag to the Notes and wait
WebServer Note contains a URL to be contacted and from which the Trojan must receive commands
White Note contains a URL which is an executable to be downloaded and executed
(Any other) Wait
At the time of writing, the account only contains the “Wells” note, so I was expecting to find timedate tags sent after the infection of any PC, but instead there were none. This may mean that either none were infected, or perhaps all of the data might have already been removed.
Continuing on, however, the “WebServer” mode is interesting. It requires a Base64-encoded string to be present in the note body, and when this string it decoded it resolves to a URL that is contacted by the malware. This URL routes to a simple Web page that that may contain an html comment tag indicating a command to be executed by the Trojan. For the sake of testing I wrote myself a “WebServer” note with an encoded url already contained in the Trojan data. When run, the Trojan contacted this page as predicted, and got the following data:
Image 3: The Web page data read by the Trojan
The first tag is a comment tag (begins with “!--”), and actually says “NO”. Earlier it contained instead the following string:
<!-- 68656C6C6F --> <HTML> …
This is the hexadecimal representation of the string “hello”. This string is one of the strings that the Trojan expects to find in a comment like this. The other strings are:
Pslist (retrieves the list of running processes)
Pskill (kills a process)
Localpath (retrieves the path from which the threat is running)
http:// (downloads and a file)
exit (causes the Trojan to quit)
They look a lot like typical bot commands, don’t they? And, in fact, each one of these commands causes the Trojan to execute a proper action and report back to the contacted URL. In particular I tested the “pslist” command: the Trojan lists all the processes on the machine:
Image 4: The Trojan is listing running processes in the machine
After that, the command is successful and the Trojan will encode the data in Base64 and send it to the contacted URL:
Image 5: The encoded process list is being sent to the remote server
So, the Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that. The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere. However, this sample shows that one could use a Facebook account as a C&C server and this Trojan is able to successfully parse the Facebook html data, retrieve the wanted data from it, and also post new data to it (it may for example send stolen data to it in the form of a note in the same was as it sends a timedate stamp).
I want to stress the fact that the Trojan does not use exploits or flaws of any kind, it simply uses the standard Facebook functionalities, which in no way are malicious, dangerous, or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C server.