Over the past few years we’ve seen “smart malware” develop as technology improves. While basic malware can only perform the same monotonous tasks over and over, more advanced malware has a means to “phone home” for further commands to change its behaviour. Usually this is done by establishing a connection to a private server which gives these commands out. One recent strain of malware, however, used a strange base of operations for its commands — Twitter!
The Command-Hiding Memes
This was the case of a recent Trojan that used a unique way to get instructions from its creator. When it was time to receive commands, it would look at the Twitter account called “bomber,” which was owned by the malware developer. The developer would then tweet out the next command for their malware. In order to hide their tracks, the developer used a means not yet seen for sending out malware commands: internet memes.
What looked like an innocent meme on its face held commands to a Trojan malware on the inside. This was done using a technique called “steganography,” where one piece of media (a picture) can hide another piece of media within it (the message). While everyone else would simply see a meme and move on, the malware would download the image file, open it up, and extract the message hidden within.
What the Commands Did
The memes that were posted on the feed contained the message “/print.” When the malware would read this command, it would take a screenshot of the victim’s screen and send it to the developer. It’s not a particularly complicated or well-orchestrated attack, but if the developer manages to snag a shot just as someone is handling sensitive information, it could result in huge ramifications!
Other commands that the malware could perform include “/clip” to steal whatever is on the user’s clipboard, “/docs” to check the filenames on the user’s computer, and “/processos” to take a peek at the running processes on the victim’s PC. Each of these were fed to the malware via the meme-sharing method above, so while Twitter users were getting a steady stream of image macros, the malware was getting commands from home.
Fortunately, this little trick was discovered after “bomber” had only tweeted out two memes. Twitter was informed of the account, which was promptly shut down. It does, however, show how ingenious hackers have become in order to hide their messages. While only two tweets have gone out, researchers predict the malware first hit the scene two months ago. It’s still unknown how people got infected with the Trojan in the first place.
What this Means
What we’re seeing here is the result of malware developers covering their tracks as much as possible. Keeping malware hush-hush is the best way to ensure it both travels far and gleans as much valuable information as possible. Nobody would suspect a meme image on Twitter would be carrying malicious commands, and as such, it makes it the perfect vehicle for malware developers to control their software in the wild.
Fortunately, the method for preventing an infection in the first place hasn’t changed. By keeping a well-received antivirus updated, not clicking on suspicious files and downloads, and keeping your wits around you, you don’t even need to worry about memes commanding Trojans on Twitter.
With viruses becoming big business, it’s vital for their developers to hide the tracks. This new method of using Twitter as a command base is a novel example of this, with messages being hidden in plain sight!
What do you think of this new method of directing malware? Let us know below.
Image Credit: Trend Micro