The Register® — Biting the hand that feeds IT

Feeds

Trojan taps Google Groups as command network

alt.news.botnet.control

By John Leyden, 14th September 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands.

Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.

The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O'Gorman writes.

When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out.

The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.

The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.

Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyse. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.

Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.

Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec's classification of the malware as a low risk threat. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
Rasczak

Google Groups Newsgroups ?

Shirley you mean Usenet newsgroups. Google Groups is just a web page that allows spammi^C^C posting to Usenet through a web page. From what I can see, they just took over the old Deja News archive and added a few things. From reading the write up it looks like this uses Google Groups as it allows you to create your own, effectively internal, groups, just as easy to do by running your own NNTP server, just means they are offsetting the load. Easier to wipe the evidence if running your own server though.

0
0
Anonymous Coward
Anonymous Coward

A low risk threat for who?

I guess the risk increases greatly depending on whether you're Taiwanese and what China's plans are.

Now that America has practically neutered itself with the cost of two wars (profits mostly into Republican pockets, as far as I can tell) who will protect pacific rim from hostile takeover?

I guess that depends on whether you consider American style protection better than Chinese.

There, that should piss off both the Chinese and the Americans.

0
0
amanfromMars 1

Nothing is Ever how it seems .....but more usually just as you are led to believe.

"This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China." .... Or is being betatested for Eastern use?

Hell, if I have something hot to sell in Command and Control, where better to sell it and create a fortune than in the Emerging Vibrant East.

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19