The Register® — Biting the hand that feeds IT

Feeds

Trojan taps Google Groups as command network

alt.news.botnet.control

By John Leyden, 14th September 2009
  • print
  • alert

Agentless Backup is Not a Myth

Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands.

Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.

The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O'Gorman writes.

When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out.

The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.

The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.

Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyse. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.

Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.

Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec's classification of the malware as a low risk threat. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
Rasczak

Google Groups Newsgroups ?

Shirley you mean Usenet newsgroups. Google Groups is just a web page that allows spammi^C^C posting to Usenet through a web page. From what I can see, they just took over the old Deja News archive and added a few things. From reading the write up it looks like this uses Google Groups as it allows you to create your own, effectively internal, groups, just as easy to do by running your own NNTP server, just means they are offsetting the load. Easier to wipe the evidence if running your own server though.

0
0
Anonymous Coward
Anonymous Coward

A low risk threat for who?

I guess the risk increases greatly depending on whether you're Taiwanese and what China's plans are.

Now that America has practically neutered itself with the cost of two wars (profits mostly into Republican pockets, as far as I can tell) who will protect pacific rim from hostile takeover?

I guess that depends on whether you consider American style protection better than Chinese.

There, that should piss off both the Chinese and the Americans.

0
0
amanfromMars 1

Nothing is Ever how it seems .....but more usually just as you are led to believe.

"This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China." .... Or is being betatested for Eastern use?

Hell, if I have something hot to sell in Command and Control, where better to sell it and create a fortune than in the Emerging Vibrant East.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17