Trojan taps Google Groups as command network
Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands.
Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.
The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O'Gorman writes.
When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out.
The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.
The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.
Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.
Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyse. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.
Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.
Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec's classification of the malware as a low risk threat. ®
Google Groups Newsgroups ?
Shirley you mean Usenet newsgroups. Google Groups is just a web page that allows spammi^C^C posting to Usenet through a web page. From what I can see, they just took over the old Deja News archive and added a few things. From reading the write up it looks like this uses Google Groups as it allows you to create your own, effectively internal, groups, just as easy to do by running your own NNTP server, just means they are offsetting the load. Easier to wipe the evidence if running your own server though.
A low risk threat for who?
I guess the risk increases greatly depending on whether you're Taiwanese and what China's plans are.
Now that America has practically neutered itself with the cost of two wars (profits mostly into Republican pockets, as far as I can tell) who will protect pacific rim from hostile takeover?
I guess that depends on whether you consider American style protection better than Chinese.
There, that should piss off both the Chinese and the Americans.
Nothing is Ever how it seems .....but more usually just as you are led to believe.
"This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China." .... Or is being betatested for Eastern use?
Hell, if I have something hot to sell in Command and Control, where better to sell it and create a fortune than in the Emerging Vibrant East.