Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Groups Used To Control Botnets

Posted by Soulskill on from the easier-than-by-carrier-pigeon-in-most-cases dept.

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

63 comments

  1. Google Groups is just a way to Usenet by hey · · Score: 1, Insightful

    Google Groups is just a way to Usenet

    1. Re:Google Groups is just a way to Usenet by athakur999 · · Score: 5, Informative

      It's true Google Groups can be used to view Usenet groups, but you can also create groups that are completely independent of Usenet with it. That seems to be the case here.

      --
      "People that quote themselves in their signatures bother me" - athakur999
    2. Re:Google Groups is just a way to Usenet by Anonymous Coward · · Score: 0

      No it isn't. You can create new groups and private groups that have nothing to do with Usenet.

    3. Re:Google Groups is just a way to Usenet by drinkypoo · · Score: 1

      local groups have always been available to usenet sites. this is just a web interface to groups on google's servers.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Google Groups is just a way to Usenet by wiredlogic · · Score: 1

      The Google specific groups have features that they don't provide for the Usenet feeds (member profiles, file sharing, etc.) It isn't the same as just local newsgroups.

      --
      I am becoming gerund, destroyer of verbs.
    5. Re:Google Groups is just a way to Usenet by drinkypoo · · Score: 1

      I'm betting those are all built on top of whatever google uses for a news spool. Member profiles are part of the google login. File sharing is part of USENET, all they'd have to do is put a special signature in the file and store a base64 or similar attachment like everyone has been doing on USENET since whenever.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Google Groups is just a way to Usenet by davidphogan74 · · Score: 1

      That makes sense, I also was confused about why they'd say Google Groups instead of Usenet at first. I forgot that Google allows creation of your own groups until I signed in to try figuring out how this could work.

  2. This just in! by Anonymous Coward · · Score: 5, Funny

    Breaking news today:

    Free Web Service Abused, Professionals Shocked

    News at 11.

    1. Re:This just in! by Anonymous Coward · · Score: 0

      Breaking News

      Today Free Web Service

      Abused Professionals

      Shocked News at 11.

      And somehow still makes sense..

    2. Re:This just in! by Anonymous Coward · · Score: 0

      You do understand that the actual malware is being distributed as dll, nothing is being infected "via DLLs".

    3. Re:This just in! by Anonymous Coward · · Score: 0

      Win 7 too blue screens... professionals shocked..

    4. Re:This just in! by uninformedLuddite · · Score: 1

      except of course the computer

      --
      The new right fascists are bilingual. They speak English and Bullshit.
    5. Re:This just in! by tlhIngan · · Score: 1

      Free Web Service Abused, Professionals Shocked

      Except, there are two issues...

      1) A third party can shut you down. This happens quite often with the IRC-based botnets - the admins simply /akill anyone attempting to join the channel, or someone else can take over the botnet. Ditto Google - they can disable the group, or have it return NOP commands or someone else can post a command to self-destruct the botnet. That's why people tend to use P2P for botnets.

      2) A paper trail is left. Who was attacked and when, the commands issued, etc., are all logged and kept by the third party. Even using a proxy, it seems like a really bad idea when someone is logging everything. Heck, imagine what Google could do with logs of people who accessed that newsgroup.

  3. This just in! by Anonymous Coward · · Score: 2, Funny

    Breaking news today:

    Windows computers still being infected via DLLs, professionals shocked.

    News at 11:05.

  4. "oops, by martas · · Score: 3, Funny

    it seems we just did some pretty serious evil..."

    --
    weinersmith
  5. So? by timeOday · · Score: 2, Insightful

    Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

    1. Re:So? by houstonbofh · · Score: 2, Insightful

      Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

      That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

      It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

    2. Re:So? by sakdoctor · · Score: 5, Funny

      -----BEGIN BOTNET COMMAND OVER /.-----
      Version: v1.0.0

      TEx2OTNZRm9 mb1l4Q1B5N25P b3dxSjRCMkhSS WhzdDFBbV Ezd2lGSWtY R1pEMWJ qUHdtcG9z cktLNHd5 cDBZeg==

      -----END BOTNET COMMAND OVER /.-----

    3. Re:So? by slacker22 · · Score: 1

      We can destroy a botnet by shutting down google.

    4. Re:So? by timeOday · · Score: 1

      That's not new. Check out "The Rallying Problem" section from this 4-year old presentation.

    5. Re:So? by Anonymous Coward · · Score: 4, Interesting

      On a more serious note, this demonstrates how easy it is to use any service for a botnet.
      As long as a service allows persistent user data, Slashdot, Google Customized Search, Photobucket, whatever, can all be used.
      Hell, the data doesn't even need to be persistent, ideally around a days age at the most, this allows each time region to access the site at different times so that it won't overload it or arouse suspicions by those sneaky little ninja sysadmins.

      Think about all those free websites out there, millions of them, and you can bet a good chunk of those are for botnets.

      Or how about MSN?
      Contacts of contacts of contacts, it can go millions of contacts deep, or a few hundred accounts used around the same geographical location at different times in the day.

      Of course, e-mail is still the best.
      Gmail is probably the best for this at the moment because of how much information that can be stored on a page at first glance. (which is why Gmail Drive is so nice)

    6. Re:So? by selven · · Score: 0, Redundant

      What's it supposed to do, turn my computer into stooooooooooooooooooooooooooo[NO CARRIER]

    7. Re:So? by 1u3hr · · Score: 1
      It is on a widely respected and not usually blocked third party service.

      No one who is s "serious" user of Usenet respects Google Groups' interface.

      They at least provide a useful search function, but even that has been rather fucked up for several months. But they are justly maligned for allowing spammers to use them to spam millions of messages into just about every newsgroup. They do nothing to screen their messages. They certainly have excellent spam detection in GMail, so dark conspiracy theories abound of how Google is swamping Usenet with spam to make their own groups a "safe haven". But I think it's just they can't monetise it so they don't give a fuck either way. Meanwhile mabny users do killfile messages sent from Google Groups, and some news hosts do as well at a server level.

    8. Re:So? by Beardo+the+Bearded · · Score: 1

      Pfft. A weird hex command can't...

      uh...

      bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    9. Re:So? by X0563511 · · Score: 1

      Exactly. When my client allows, I don't even SEE messages from someone using Google Groups.

      I know it's a bit harsh to just block a provider yet... but a majority of the retarded shoe-spammers and such, all seem to come through Google Groups.

      That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    10. Re:So? by X0563511 · · Score: 1

      Hell, one could even use a legitimate Flickr photostream or whatever they are called, hiding encrypted commands within images. This could be done in nearly any kind of file, really. Have fun detecting this, especially if the 'cover' is suitably advanced.

      (example, using a real social networking system legitimately, as well as for command/control. Or using an accomplice's account)

      All it takes is the magical combination of imagination and technical skill, as well as the desire to do something like run such a network.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    11. Re:So? by 1u3hr · · Score: 1
      That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

      Anyone can set up a news server, but if they spew spam, they are quickly blacklisted by other providers, so their posts are dropped and the damage is limited. Sadly few have the guts to block Google.

  6. 5...4...3...2...1... by Anonymous Coward · · Score: 0

    And now they WON'T use google groups.

    Time to use something else unnoticed.

  7. Another sign Linux just isn't ready for prime time by HangingChad · · Score: 4, Funny

    It is distributed as a DLL...

    Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  8. C2, not C&C by Anonymous Coward · · Score: 0

    The common abbreviation is C2, not C&C. C&C in this community stands for Command & Conquer :).

    1. Re:C2, not C&C by Yvan256 · · Score: 3, Insightful

      And C2 can refer to a truckload of things, so that doesn't really help.

    2. Re:C2, not C&C by Wuhao · · Score: 1

      And C2 can refer to a truckload of things, so that doesn't really help.

      For simplicity, let's just abbreviate it as CLOWN and watch the novices try to puzzle it out.

  9. Why not P2P? by Jared555 · · Score: 2, Insightful

    What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

    For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

    Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

    1. Re:Why not P2P? by dazjorz · · Score: 1

      Thank you, sir, for destroying what was left of the Internets.

    2. Re:Why not P2P? by gmuslera · · Score: 1

      Random ports and encryptions is what is usually easier to get blocked at your network perimeter. But is not so easy to block google at port 80, even with clear text content, probably someone in your internal network would want to use it for legitimate reasons.

      Would not be so surprised that RSSs or the pages itself from blogger (or other massive blog hosting sites) could be used for this, or ad hoc mailing lists. In fact, anything that could be put in internet by someone potentially anonymous and accessed automatically by thousands/millons of hosts without raising normal alarms, and better if is not limited to one easily blocked ip address,

    3. Re:Why not P2P? by sakdoctor · · Score: 3, Insightful

      Storm and many others used P2P.
      Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

      They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

    4. Re:Why not P2P? by Yvan256 · · Score: 1

      Indeed. I'm moving to the intarweb right now.

    5. Re:Why not P2P? by similar_name · · Score: 4, Funny

      What would be so hard for botnet owners to make a peer to peer botnet rather than using servers?

      That would attract the wrath of the RIAA.

  10. Re:Another sign Linux just isn't ready for prime t by Jared555 · · Score: 1

    People could make automated attacks against linux servers (there are probably some already) that detect if a site is running certain vulnerable scripts and run from there. Some issues could be solved easily by detecting paths on the web server, differences in distributions can be covered by trying the top 3-5 most popular paths (or more intelligent checks) , etc.

    One nice thing about running php as the user that owns the site is it makes it more difficult for someone to take out every site on a server.

  11. Google's evil and this proves it!!11!1! by Anonymous Coward · · Score: 0

    'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. [...]'

    Nope, sorry, it's already ingrained into my head. I blindly hate Google, so here's another reason for me to think they're evil. I literally feed off of irony, especially the "Google is teh eval!11!!", thus I desperately search it out in any way, shape, or form, even if it's from badly-thought out arguments and conclusions.

    Google is evil because they make and control botnets! IRC isn't evil, though, because that's just an innocent neutral communication method that evil people (liek Google) have co-opted into a botnet control mechanism.

  12. Just Google it by Mathinker · · Score: 3, Informative

    We used to say "Engage brain before opening mouth" but nowadays the equivalent is "Check Google (or equivalent) before posting". P2P botnets have been around for a long time, and the recent Conficker worm uses P2P technology in quite an advanced way.

  13. Those IRC dwelling 14 year olds... by petrus4 · · Score: 1, Insightful

    I've already drawn a portrait of them here.

    They never cease to amaze me, however; they are tireless in their attempts to bring new, innovative, and endlessly wonderful varieties of malware to the computer using public.

    I know eventually a true, almost impossible to counter exploit will be found by them, for Linux. They will probably employ it more for the purposes of proving that Linux is not immune to their wrath, than anything else.

    When the first Linux malware exploiting that flaw is written by them, I fully expect that the first sign of infection will be a Linux user hearing a wav file of Carrie Ann Moss being played on their machine.

    "Dodge this."

    1. Re:Those IRC dwelling 14 year olds... by Yvan256 · · Score: 0, Troll

      Good thing that wav is a Microsoft file format and hence cannot be played under Linux. /sarcasm

    2. Re:Those IRC dwelling 14 year olds... by flydpnkrtn · · Score: 3, Insightful

      I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.

      I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...

      --
      Here's to the crazy ones
    3. Re:Those IRC dwelling 14 year olds... by Anonymous Coward · · Score: 0

      When the first Linux malware exploiting that flaw is written by them, I fully expect that the first sign of infection will be a Linux user hearing a wav file of Carrie Ann Moss being played on their machine.

      Good news! Your sound system works under Linux!

      Now if we could convince them to infect the wireless networking!

    4. Re:Those IRC dwelling 14 year olds... by Anonymous Coward · · Score: 0

      Yes, it exists. It's called "user".

  14. This just in, too! by tenco · · Score: 1

    Breaking news: Software uses plain text messages as means of communication. News at 11.11

    1. Re:This just in, too! by Yvan256 · · Score: 1

      Breaking news: botnets use plain text messages and waste bytes and bytes of bandwidth instead of using binary to communicate between themselves. News at 9:00.

  15. Next up: Botnets surfing the google wave by ghmh · · Score: 5, Funny

    Who needs IRC or usenet or google groups when you can surf the google wave?

    Wonder whether this will get you access?

    Google Wave Sandbox Developer Signup

    Name: xxxx
    ....
    What do you intend to build?
    Botnet

  16. New solution by shentino · · Score: 1

    Pass good samaratin laws that allow researchers to nuke botnets. Or heck, let the FBI or NSA take care of that.

    I think that would be even more awesome than when Goonswarm took over BoB.

    1. Re:New solution by Thuktun · · Score: 1

      Pass good samaratin [sic] laws that allow researchers to nuke botnets.

      Oh yeah, that will end well.

  17. Re:Another sign Linux just isn't ready for prime t by Anonymous Coward · · Score: 0

    Yes, but this won't bring about the year of linux on the DESKTOP.

    Or are you suggesting all home users in need of this feature run a web server? Next thing you'll tell me they need to recompile the kernel to get a rootkit working.

  18. That explains it! by GameboyRMH · · Score: 2

    Slashdot copypasta troll posts are actually botnet commands! It just blends in with the original trolls so that nobody expects a thing!

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:That explains it! by djdavetrouble · · Score: 1

      My god, the pieces of the puzzle are finally beginning to come together.

      everytime mr goatse appears, a botnet stands at attention. then, tubgirl releases the attack on the target.
      there has never been a more simple, disgusting, genius idea.

      --
      music lover since 1969
  19. Trivial solution by 4D6963 · · Score: 1

    Wouldn't it be trivial for Google to kill it? Think about it, recently created groups devoid of any true conversational activity, being accessed by thousands of computers on a regular basis, probably all of them identifying themselves in a similar way (i.e. all giving the same user agent or no user agent, no referral, etc..). That would be fairly trivial for Google to identify the patterns and shut down the botnet groups. Might orphan quite a few botnets, and definitely hunt the botnets out of Google Groups.

    --
    You just got troll'd!
  20. DLL's by Gruff1002 · · Score: 1

    Never ever let any exe near your operating system if it has dll's that "need" to be installed. Windoze is not exactly idiot proof.

  21. OH GOD by kothmac · · Score: 1

    I KNEW IT! Google has become Skynet! Quick, someone knock up Mrs. Conner!

  22. Ultrasurf and GIFC did the same thing by Anonymous Coward · · Score: 0

    According to researchers at this year's BlackHat in Las Vegas, the GIFC has released malware (pretending to be good software) that get's it "updates" through Google Groups and Reader. This is not shocking that spyware/malware/viruses/etc get updates from a major provider such as Google. Google can handle the traffic, and is mirrored all over the world, making it the perfect candidate for this type of abuse.

  23. Finally a use for twitter by uninformedLuddite · · Score: 1

    hooray

    --
    The new right fascists are bilingual. They speak English and Bullshit.
  24. Rest Easy Everyone by Anonymous Coward · · Score: 0

    'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

    Google Groups is declared NOT EVIL!

  25. Non news here...move along by hesaigo999ca · · Score: 1

    Whether its google news groups, or the ebay website or even facebook, you can use any tool , and any website that offers postinsg or forums or even blogs, to upload commands to your botnet, if the parser included in the botnet knows how to read it.
    The fact that they are trying to put google's good name on the line for this, as if it was google's fault shows how little they really know about these botnets, and this technology.

  26. First botnet of Linux Web Servers discovered by Anonymous Coward · · Score: 0

    "Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time." - by HangingChad (677530) on Sunday September 13, @11:26AM (#29405229) Homepage

    It's already happened, per my subject-line above, & this article from this very website (only a few days back, no less):

    ----

    First Botnet of Linux Web Servers Discovered:

    http://linux.slashdot.org/article.pl?sid=09/09/12/1413246

    ----

    So much for that!

    APK