Crimeware distributors have begun using Facebook as a command and control channel for a Trojan that turns compromised Windows PCs into zombie drones.
Zombie clients poll the Notes section of the mobile version of Facebook for instructions. Compromised clients might be instructed to download further code from a specified web site or told to wait for commands, for example.
The Trojan spreads via booby-trapped email attachments that take advantage of well-known PDF or Office flaws to infect unpatched systems. These messages pose as email from courier firms and the like.
This has become a very common strategy for targeted attacks, which have replaced mass mailing worms as the main malware danger to business. What distinguishes this Trojan from run of the mill malware is its (experimental) use of Facebook to receive commands instead of traditional botnet control channels such as Internet Relay Chat (IRC). Most of the heavy lifting - such as uploading stolen data - is still done through a web server, however, Symantec researcher Andrea Lelli explains.
"The Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that," Lelli writes. "The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere."
"It [the Trojan] simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C [command and control] server."
Symantec found the mobile Facebook account associated with the Trojan, established 16 October, showed very little signs of activity. Either hackers have deleted handshakes from compromised boxes that ought to have been exchanged or else the malware is yet to infect anything.
Virus writers have begun experimenting with varied means of controlling botnet clients over recent months. In August, for example, security researchers at Arbor Networks discovered a botnet that used Twitter to relay commands to compromised hosts. ®