Botnet C&C Server Hosted on Google Groups

Malware researchers have discovered a computer trojan, which uses a private Google Groups newsgroup to receive updates and instructions from its authors. This threat suggests that cybercrooks are taking legit Web 2.0 services into consideration for C&C implementation.

Last month, security researchers from Arbor Networks announced the discovery of a Brazilian banking trojan, which was receiving commands via a Twitter account and various pastebin services. Inspired by this finding, Vaclav Vincalek, president of Pacific Coast Information Systems, theorized that in the future, Google's own search engine could be abused in a similar fashion.

Maybe Mr. Vincalek's approach is still purely theoretical, but using other Google services for this purpose is not, as malware analysts from Symantec just discovered. "A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands," they announce.

The trojan seems to be of Taiwanese origin and was released in November 2008. However, despite being active for ten months, the malware doesn't seem to have infected a large number of computers. This suggests that the trojan is either a prototype for testing if Google Groups is a viable C&C solution, or that it was designed for a very specific purpose or target. The trojan consists of a DLL file, which contains instructions to log into a Google account and access a private newsgroup called "escape2sun."

The newgroup posts have unique identifiers and contain encrypted commands and or files to download. After executing these commands, the clients reply back by posting a response with the identifier as subject. "There is no attempt within the DLL to maintain persistence on the attacked computer, further evidence of a Trojan attempting to remain undiscovered.

Such a Trojan could potentially have been developed for targeted corporate espionage where anonymity and discretion are priorities," Gavin O. Gorman, security researcher at Symantec concludes. Security researchers fear that because of their reliability, versatility and flexibility, the use of legit Web 2.0 services could soon become a widespread method of controlling botnets.

Additionally, from a network administrator's perspective, the traffic generated by such a threat is a lot harder to detect, filter or block, compared to that of regular botnets.

Read the original article at Softpedia at http://news.softpedia.com/news/Botnet-C-C-Server-Hosted-on-Google-Groups-121576.shtml

 PCIS is a Vancouver-based company which provides strategic consulting, application development, technology solutions and managed services to companies and government organizations throughout North America.

Boonbox is a division of Pacific Coast Information Systems Ltd., specializing in products for web security, network security, password management and data backup.

Media Contact
Jonathon Narvey
Communications
Phone: +1 (604) 844-7558
jonathonnarvey@pcis.com
Pacific Coast Information Systems / Boonbox
700-1112 Pender Street West
Vancouver, BC
V6E 2S1 Canada

Contact Boonbox

Name
*
Company
*
Phone
*
Email
*
How can we help?
Please tell us how you found out about PCIS


"Submit Inqiry"