Thursday, March 28, 2013

Malware Uses Evernote as Command & Control Server

Evernote TrojanTrendMicro researchers have recently stumbled upon a piece of malware that uses the popular note-taking service, Evernote as its command and control server.

The malware, which TrendMicro detects as BKDR_VERNOT.A is classified as a backdoor, and grants an attacker remote access to an infected system to do as they please.

“The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process,” Threat Response Engineer, Nikko Tamana  explained on the TrendMicro blog, “The said .DLL file performs the actual backdoor routines.”

Aside from downloading and executing additional files, those backdoor routines include collecting information about the infected system, such as the OS, timezone, user name, computer name, registered owner and organization.

TrendMicro researchers found that commands were retrieved from the notes saved in an Evernote account, which is also suspected to be the location where the stolen data is unloaded.

This is not the first time that malware authors have abused a legitimate service to relay information and evade detection. Twitter and Google Docs are two other services that have been used by malware in the past.

Keeping Your System Safe

BKDR_VERNOT.A is spread via drive-by-download and other malware, so users can minimize their chances of infection by:

  • Keeping their operating system and installed third-party software fully patched and up-to-date.

  • Running antivirus software with the latest virus definitions.

  • Exercising caution when following suspicious hyperlinks (even if they appear to be harmless image links).

  • Scanning email file attachments before downloading and/or opening them.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment