Adobe Malware Visits Craigslist

Tuesday, August 27, 2013 @ 06:08 PM gHale

There is now an attack on Craigslist where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activities of their teens, researchers said.

The software pitch is it can track the device’s location, as well as SMS and phone logs.

Faux Adobe Flash Serves Spam Ads
Malware Expands to Instagram
Malware Shifts to New Port Range
Most of Citadel Botnet Down

So far three command and control servers tie into the attack; two of them are under a private registration, a third has a registration to a U.S.-based individual with the same name, city and state as the person on the manifest for the StealthNanny app in question, said Andrew Brandt, director of threat research at Solera Networks.

While the attack isn’t especially malicious and likely to end up flagged as a potentially unwanted application by most antivirus products, it does go to great lengths to bypass Craigslist’s spam prevention mechanisms. Before an ad goes live on Craigslist, the submitter must click on a link in a separate validation email sent from Craigslist. The malware retrieves that email from Craigslist from a domain called myemail3[.]info that hosts the three C&C servers. Brandt said the full text delivers, including headers and the message.

“The bot goes through the log, parses out the validation links from Craigslist and clicks them,” Brandt said. “That makes it live and bypasses their spam filtering.”

Compromised machines, meanwhile, are able to make only one post per day, or in some cases, only one post per infected machine. Brandt said the attacks have been going on for a few weeks and the posts end up flagged as spam fairly quickly. Posts go out to random categories on Craigslist, some that make sense and others that don’t.

Brandt said he is unaware of how the initial infection happens; he first saw the attack on the Emerging Threats list. Researchers there shared a Snort signature for this attack and a link to download the malware used. Brandt downloaded it on a number of virtual machines and each time the malware connected to a command and control server which returns data that includes an email address and password, and the body of the Craigslist post. It also does a SSL connection to Craigslist and uses its internal systems to figure out the best local Craigslist where to post, Brandt said.

Brandt said the initial infection vector remains unknown, but there is a link promoted that encourages the victim to visit a site to look at images. The images on the attack site are broken and the user sees a pop-up informing them of a missing plug-in called Adobe Photo Loader, which does not exist. When the user clicks on the installation link, the malicious executable pushes to their machine.

Leave a Reply

You must be logged in to post a comment.