In the last year or so, we have witnessed many botnet command and control centers being taken down in organized actions instigated or aided by companies such as Microsoft, Panda Security and organizations such as the FTC. “Bulletproof” hosting has proved not to be that reliable, so botnet herders decided to set up their C&C centers on social networks.
Twitter accounts have been used as such for a while now, but RSA researchers recently spotted another social network (they are not saying which) being used for the same purpose.
According to ThreatPost, the bot herder sets up fake profiles, then posts encrypted commands on it:
Every time a new computer gets infected with the banker Trojan in question, the malware is programmed to visit the profile and get new commands. The text contains authentication code so that the Trojan can be sure it’s in the right place, and hard-coded instructions telling it what to do next.
According to Uri Rivner, Head of New Technologies, Consumer Identity Protection, at RSA, this instance is part of a growing trend and a direct consequence of the recent takedowns of “bulletproof” ISPs.
“These groups have had four main options for hosting if they want to put it in a resilient infrastructure,” he says. “You can build your own, and there are some that are very sophisticate with great disaster recovery, but that’s expensive. You can go with bulletproof hosting, but that’s getting harder. You can use cloud services, which we’ve seen some of lately. Or you can now use social networks. That’s getting more popular because resilience is they key for some of these Trojans that can run for months or years. It’s so important to them to find a good hosting environment.”
What really makes the use of social networks to host these centers handy is the fact that profiles can be easily made and disposed of as soon as they are flagged and blocked by the networks. Hundreds of profiles can be coded into a Trojan, and as one profile is removed, the Trojan simply visits the next one on the list and gets its commands there.
Luckily for the criminals, social network operators still can’t manage to identify these profiles quickly enough to make a dent into the botnet activity, but these sites will soon be under pressure from the community and governments to come up with a solution to this problem, and botnet herders will have to find yet another way to keep themselves in business.