Craigslist has made some strides over the years in protecting its users from Internet predators, but for some hackers those strides are just another challenge to be surmounted.
That's the case with a Trojan aimed at the online classified advertising service and revealed Monday by Solera, a Blue Coat company.
The malware is ending up on the computers of unsuspecting users who click an infected link they encounter on the Internet, expecting to receive an update to a fictitious program called Adobe Photo Loader.
After infecting a machine, the malware transforms the computer into a zombie for a botnet making spam postings to Craigslist for a program called Stealth Nanny. The Android app is designed to be planted on a person's phone so all their activity on the handset can be monitored by a snooper.
"We don't see a lot of spam on the service, but when we do, it's interesting because it's stuff that has figured out a way to get around these roadblocks set up by the guys running the site," Solera's Director of Threat Research, Andrew Brandt, said in an interview.
When this Trojan contacts Craigslist, it's armed with information sent to it by the command and control (C&C) server running the botnet that enables it to set up an account on the service and post the advertising copy for Stealth Nanny.
Before a listing can go live on Craigslist, its sponsor must verify it by email. The email confirmations for the ads posted by the Trojan are forwarded to it by its C&C server. "The bot then parses the Craigslist activation links, return them as a click through a browser without the browser user's knowledge and make the post go live," Brandt explained.
"It's a complicated mechanism that they've rigged up," he said. "It's amazing that it works, but it is quite functional."
The master of the zombie network has taken measures to keep the scheme off the radar of Craigslist spam fighters, Brandt added. "He'll do one post a day per infected machine."
The limited nature of the malware is also probably keeping its profile low. "It's a very bespoke malware for this specific purpose of just posting to Craigslist," Brandt observed.
"And the only thing we've seen it posting to Craigslist," he continued, "is this advertisement for this software that monitors cell phones."
Brandt added that he suspects that the maker of the software is also connected to the malware. All but one domain connected to the scheme was "private," he said. That one identifiable domain, however, contained a name, city and state that matched the same information in Stealth Nanny.
"It's clear to me that they're connected and entirely possible that the same person is responsible for Stealth Nanny and the malware," Brandt said.
Although the malware has a highly specific purpose now, once a machine is infected, the bad app could be repurposed for greater malignancy in the future. "Anytime a computer is infected with malware, the box is owned by someone else and they can use it to do all kinds of different things," Brandt said.
Mike Gross, director of professional services and risk management at 41st Parameter, said that credential theft is always a possibility with this kind of malware. "The biggest risk is always key loggers that essentially give the attackers access to any account where the legitimate user enters a username-password combination online," he told CSOonline.
In addition, since the botnet is controlled elsewhere on the Web, it likely has an auto-update function for downloading and modifying what's on an infected machine. "An auto-update feature would make the possibilities of danger endless for the infected device," said Tommy Chin, a technical support engineer with Core Security.
Craigslist did not respond to a request for comment for this story.
"Craigslist is a relatively open environment, with no strong validation of posts," Gross said. "It relies on users to post legitimate classifieds. Its primary form of policing spam is by user feedback, which is very reactive."
The online classifieds service is also largely free, which may also be contributing to its being a target of Internet lowlifes. "It's much easier to target a free service than it is a paid service," Chin said. "Free services require much less verification on the user's part."
"The site is also still in its infancy in regards to anti-spam and security practices," he said.