Feeds

Trojan taps Google Groups as command network

alt.news.botnet.control

5 things you didn’t know about cloud backup

Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands.

Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.

The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O'Gorman writes.

When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out.

The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.

The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.

Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyse. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.

Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.

Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec's classification of the malware as a low risk threat. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.