14 DAY TRIAL // Malware researchers have discovered a computer trojan, which uses a private Google Groups newsgroup to receive updates and instructions from its authors. This threat suggests that cybercrooks are taking legit Web 2.0 services into consideration for C&C implementation.
Last month, security researchers from Arbor Networks announced the discovery of a Brazilian banking trojan, which was receiving commands via a Twitter account and various pastebin services. Inspired by this finding, Vaclav Vincalek, president of Pacific Coast Information Systems, theorized that in the future, Google's own search engine could be abused in a similar fashion.
Maybe Mr. Vincalek's approach is still purely theoretical, but using other Google services for this purpose is not, as malware analysts from Symantec just discovered. "A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands," they announce.
The trojan seems to be of Taiwanese origin and was released in November 2008. However, despite being active for ten months, the malware doesn't seem to have infected a large number of computers. This suggests that the trojan is either a prototype for testing if Google Groups is a viable C&C solution, or that it was designed for a very specific purpose or target.
The trojan consists of a DLL file, which contains instructions to log into a Google account and access a private newsgroup called "escape2sun." The newgroup posts have unique identifiers and contain encrypted commands and or files to download. After executing these commands, the clients reply back by posting a response with the identifier as subject.
"There is no attempt within the DLL to maintain persistence on the attacked computer, further evidence of a Trojan attempting to remain undiscovered. Such a Trojan could potentially have been developed for targeted corporate espionage where anonymity and discretion are priorities," Gavin O. Gorman, security researcher at Symantec concludes.
Security researchers fear that because of their reliability, versatility and flexibility, the use of legit Web 2.0 services could soon become a widespread method of controlling botnets. Additionally, from a network administrator's perspective, the traffic generated by such a threat is a lot harder to detect, filter or block, compared to that of regular botnets.