Our colleagues over at Symantec have uncovered an interesting - and potentially devastating - new Trojan that uses Facebook to communicate with a command and control (C&C) server.
C&C servers are a type of hacker server that allows a botnet's originator (herder) to control an infected botnet group remotely.
This is usually carried through the use of Internet Relay Channels (IRCs) that link from infected PCs to the C&C server.
The Trojan malware - which is being called Whitewell - is slightly unusual in being propagated using a document style, either an Adobe PDF or MS-Office file formats.
Whilst malware infections have been hidden in these types of files for some time by hackers, this is the first time that the hacker infection vehicle has been used to infect Facebook users.
The malware functions by contacting the mobile version of Facebook and using its Notes section, before performing one of four distinct hacking tasks, depending on the notes' titles that are found.
If the title, for example, is Wells, the note will contain the time/date stamp for when a machine was infected. If it is WebServer, the note will contain a URL to be contacted from which the Trojan will receive commands,
What's really interesting about the Trojan is that it has been structured to use a Facebook account as a C&C server by parsing the Facebook HTML code and the Facebook application will respond accordingly.
Our research team here at Finjan has been monitoring Facebook applications for some time and came to the conclusion some while ago that, because of the innate flexibility of Facebook's apps - which allow extensible code to run on the Facebook server and extend all the way to the user's Web browser - that almost any hacking exploit is possible.
The important thing to realise here is that the Whitewell Trojan does not exploit any security weaknesses in Facebook and merely uses standard app coding facilities.
Whilst the good news is that our colleagues at Symantec have concluded that the Whitewell Trojan is part of a limited and highly targeted attack, Finjan believes that the methodology could be used for nefarious purposes if adapted by third-party hackers.
We said back in our Q3 2007 Web Security Trends Report that the widgets and gadgets - which is what Facebook's apps really are - pose a serious threat to users' system integrity.
The big question, of course, is what companies can do to mitigate the modus operandi displayed by the Whitewell Trojan and the answer seems to be to erect a series of IT security defences around those computers that are used for Facebook access.
It may even be appropriate to isolate those PCs in a business that are used for Facebook access - or even to use remote access applications such as GoToMyPC or LogMeIn to `gateway' through to a secured PC environment from users' desktops.
One thing is for sure and that is Facebook apps now pose a clear and present danger to the security of any Windows PC used to access the social networking portal.
Subscribe