A few days ago we wrote about how Downloader.Sninfs is using Twitter as part of its command and control infrastructure. How the threat uses this is quite interesting. Here’s an example of a Twitter account used by this threat:
This is a pretty standard Twitter page, but the message is unusual. It turns out that this message is a base64-encoded string that contains two URLs. These URLs are:
These URLs are using the bit.ly URL-shortening service. These URLs redirect to:
Debian.net and Rifers.org are both legitimate sites and it was a little surprising to see them both in this context. A closer look shows that both of these URLs seem to be using the pastebin feature of the Debian and Rifers sites. Pastebins give Web users the ability to upload arbitrary text in order to share information. Pastebins exist on many sites across the Internet and any one of these sites could have been selected by the attackers in order to host their malicious payloads. It’s likely the Debian and Rifers sites were selected because of the trust associated with their brand. There is little these sites can do to mitigate this type of misuse of a legitimate service provided by their sites.
Pastebin items are typically short-lived and deleted automatically after a period of time. The data at both of these URLs seems to have expired and is not available at the above URLs; however, one of the pages was still accessible in Google’s cache:
This pastebin item contained a large base64 encoded string. When this is decoded it is shown to be a zip archive containing two files: gbpm.dll and gbpm.exe. These files are both detected as Downloader.Sninfs. This attack highlights the fact that in the wrong hands, any useful technology can be used for malicious purposes. In this case micro-blogging and pastebin have been used by attackers to host their malware.
Symantec customers can ensure that they are fully protected by keeping their product definitions up to date.