Craigslist has made some strides over the years in protecting its users from Internet predators, but for some hackers those strides are just another challenge to be surmounted.
That's the case with a Trojan aimed at the online classified advertising service and revealed Monday by Solera, a Blue Coat company.
The malware is ending up on the computers of unsuspecting users who click an infected link they encounter on the Internet, expecting to receive an update to a fictitious program called Adobe Photo Loader.
After infecting a machine, the malware transforms the computer into a zombie for a botnet making spam postings to Craigslist for a program called Stealth Nanny. The Android app is designed to be planted on a person's phone so all their activity on the handset can be monitored by a snooper.
"We don't see a lot of spam on the service, but when we do, it's interesting because it's stuff that has figured out a way to get around these roadblocks set up by the guys running the site," Solera's Director of Threat Research, Andrew Brandt, said in an interview.
When this Trojan contacts Craigslist, it's armed with information sent to it by the command and control (C&C) server running the botnet that enables it to set up an account on the service and post the advertising copy for Stealth Nanny.
Before a listing can go live on Craigslist, its sponsor must verify it by email. The email confirmations for the ads posted by the Trojan are forwarded to it by its C&C server. "The bot then parses the Craigslist activation links, return them as a click through a browser without the browser user's knowledge and make the post go live," Brandt explained.
"It's a complicated mechanism that they've rigged up," he said. "It's amazing that it works, but it is quite functional."
The master of the zombie network has taken measures to keep the scheme off the radar of Craigslist spamÃ'Â fighters, Brandt added. "He'll do one post a day per infected machine."
The limited nature of the malware is also probably keeping its profile low. "It's a very bespoke malware for this specific purpose of just posting to Craigslist," Brandt observed.
"And the only thing we've seen it posting to Craigslist," he continued, "is this advertisement for this software that monitors cell phones."
Brandt added that he suspects that the maker of the software is also connected to the malware. All but one domain connected to the scheme was "private," he said. That one identifiable domain, however, contained a name, city and state that matched the same information in Stealth Nanny.
"It's clear to me that they're connected and entirely possible that the same person is responsible for Stealth Nanny and the malware," Brandt said.
Sign up for Computerworld eNewsletters.