HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2008-28
Trojan 2.0 Crimeware Threats exploiting Web 2.0 Technologies

Original issue date: June 11, 2008


Description

 It has been observed that new breed of Trojans called Trojan 2.0 are propagating using Web 2.0 Technologies. These Trojans are using Social Engineering and tricking users of Social Networking sites to open malicious messages and download malware to user's systems.

The social engineering techniques used by the attackers often render success as users are more likely to allow ActiveX controls or Javascript from a site they visit frequently or one with a well-known brand name, and to accept invitations or interaction from known users on Web 2.0 sites.

Reports from Security agencies indicate growing trend of malware propagation through postings to Social networking sites and blogs. It has also been reported that web 2.0 sites provide an easily accessible place for Crimeware Trojans to store stolen data until it can be collected and deleted.

The Trojan 2.0 exploits features of web 2.0 technologies such as Widgets, gadgets, module, capsule, which form code snippets that run in HTML without additional compilation. The mobile code used for these widgets such as ActiveX, JavaScript, DHTML, Flash etc are allowed by the users to run on the client systems.

These new generation Trojans also attack user accounts and use these profiles to host malicious content such as key loggers. These malware then spread through sending messages to other users in the network of infected user account. The profiles of the users are also being used to launch Phishing attacks.

CERT -In has issued virus alerts on Trojans such as Bancorkut, Scrapkut Orkut Worm which are examples of Trojan 2.0.

It has also been reported that Botnets constituted by these Trojans may use web 2.0 sites and RSS Feeds to operate Command & Control (C&C) channels. This will legitimize the botnet traffic evading detection from security solutions.

Countermeasures

The solution to the threats posed by Trojan 2.0 are effective in the form of administrative and social controls compared to technical controls.

Users are advised to implement following countermeasures:

  • Exercise caution while visiting Social Networking sites.
  • Keep up-to-date patches and fixes on the Operating System and Application Software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.
  • Enterprises may deploy Technical solutions with features of Real-Time Content Inspection, and Deep Packet Inspection to examine both inbound and outbound network traffic to check malicious activities.

References

 http://www.fortiguardcenter.com/advisory/FGA-2007-16.html
http://www.avertlabs.com/research/blog/index.php/2008/01/page/2/
http://www.avertlabs.com/research/blog/index.php/2008/01/07/zango
-has-a-secret-crush-on-you/
http://www.spamfighter.com/News-9650-Hackers-Phish-on-Facebook
-Profiles.htm
http://www.finjan.com/Pressrelease.aspx?id=1792&PressLan=1230
&lan=3
https://forums.symantec.com/syment/blog/article?message.uid =305263
http://www.computerweekly.com/Articles/2007/12/11/228559/web-2.0
-creates-trojan-2.0-threat.htm
http://www.accountingweb.co.uk/cgi-bin/item.cgi?id=178157& d=1025&h=1073&f=1026&dateformat=%25o%20%25B%20%25Y
http://goliath.ecnext.com/coms2/gi_0198-449198/Trojan-2-0-Crafted-Using.html
http://www.cert-in.org.in/virus/Bancorkut_Worm.htm
http://www.cert-in.org.in/virus/ScrapkutOrkut_worm.htm
http://www.cert-in.org.in/virus/Trojan_Mespam.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003