The way SocketPlayer communicates with its command&control server is what struck analysts as odd: most banking trojans, backdoors and keyloggers use a sort of one-way system for communicating with their handlers. It depends on the infected machines contacting it first and asking if there are any orders. Only then a command for the machines can be sent by the malware handler (e.g. „record a screen shot“). SocketPlayer on the other hand uses a specialized program library called “socket.io”. This particular library was designed for use in web applications that require real-time communication between two parties and which are reliant of bi-directional communication. This means that the individual who commands the malware can interact with an infected PC directly without needing it to take the first step. He or she can also contact an infected PC.
This has an undeniable advantage: the malware handler does not need to wait for an infected machine to initiate communications. Despite this, the socket.io library has seen very little use in malicious applications and is therefore highly uncommon to be spotted in active malware.
There are two variants of SocketPlayer know to be in circulation at present. One oft hem is just a downloader which is capable of downloading and executing arbitrary code from a website. The other and more complex variant also contains mechanisms which are designed to evade detection when run in sandboxed systems. If the malware finds out that it is run in a sandbox, it self-terminates without taking further action. This method is often used by malware authors to prevent a quick detection and subsequent analysis.
Once installed SocketPlayer waits for commands. The capabilities are varied, from sniffing through drives to recording screen shots and the download and execution of code. Other functions are selectable, but have apparently not yet been implemented in the malware.
The sample we examined was distributed at the time using an Indian website. The way in which the malware was spread is unclear. It is possible that victims contracted the backdoor when visiting the compromised site, but it is also entirely possible that the web server only served as a download mirror which was linked to from elsewhere. What is clear, though, is that the malicious file went unnoticed by the website operators for a period of time. At the time of this writing, the website has been cleaned and the offending files removed.
If you would like to learn more about the details of this malware, you can read the entire in-depth analysis by clicking the preview below (will open in a new window).