In association with heise online

22 January 2013, 11:59

Trojans conceal themselves using instant messaging protocols

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Trend Micro logo

Trend Micro has discovered new trojans which camouflage their communication by imitating common instant messaging protocols such as Windows Live Messenger or Yahoo Messenger. The security company has dubbed the trojans "Fakem RATs" (a RAT being a remote access trojan). They allow attackers to remotely sort through folders on a victim's computer, take screenshots, control webcams and microphones and access data.

The company has reported that, since 2009, some malware has been concealing its data traffic by mimicking known instant messaging protocols or, to avoid detection, trying to camouflage its data traffic as HTTP or HTTPS. To achieve this, these trojans copy at least the header of the instant messaging protocol, leaving the remainder of the packets to carry the trojan's encrypted communications.

Zoom Traffic analysis of a trojan trying to camouflage its communications as Windows Live Messenger traffic
Source: Trend Micro

The trojans are not spread over the chat systems but instead spread using email and typical social engineering techniques. The malware infects systems using specially crafted Word and Excel files which exploit vulnerabilities in Microsoft Office (CVE 2009 3129, CVE 2010 3333, CVE 2012 0158). The vulnerabilities in question have since been patched. The company discovered the malware's capabilities by allowing attackers to use it to infect a honeypot system and examining the results.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit