Security researchers have spotted Trojans that are using RSS feeds to communicate instead of their traditional method of “phoning home” to get marching orders from command-and-control centers that security researchers have learned to track down and blacklist.
Yuval Ben-Itzhak, chief technology officer for Finjan, told eWEEK that the security firm recently detected three separate Trojans using blogs of limited popularity to receive orders from botnet herders or to feed stolen information back to identity thieves.
The lure of using legitimate sites such as blogs or social networking sites is that attackers can hide behind the legitimacy of Web 2.0 brands such as Google or Yahoo, Ben-Itzhak said.
“[An attacker] can use legitimate sites, sites no one will block, as a shield, so no one will identify where his [command-and-control] servers are and where he’s located, and [the attacker] can use [Web 2.0 sites] as an intermediator between Trojans and the IP address where he’s collecting data,” he said.
This new type of Trojan—Trojan 2.0, as Finjan is calling it—is in an embryonic stage now, as Finjan has only spotted it in use at blogs of limited visibility. (Ben-Itzhak declined to name the blogs where the new Trojans are operating, lest Finjan give the false impression that blogs or social networking sites are somehow to blame.)
Malware, Trojan, Security, Web 2.0, RSS, Feed