Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Groups Used To Control Botnets

Posted by Soulskill on from the easier-than-by-carrier-pigeon-in-most-cases dept.

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

8 of 63 comments (clear)

  1. Google Groups is just a way to Usenet by hey · · Score: 1, Insightful

    Google Groups is just a way to Usenet

  2. So? by timeOday · · Score: 2, Insightful

    Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

    1. Re:So? by houstonbofh · · Score: 2, Insightful

      Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

      That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

      It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

  3. Why not P2P? by Jared555 · · Score: 2, Insightful

    What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

    For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

    Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

    1. Re:Why not P2P? by sakdoctor · · Score: 3, Insightful

      Storm and many others used P2P.
      Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

      They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

  4. Those IRC dwelling 14 year olds... by petrus4 · · Score: 1, Insightful

    I've already drawn a portrait of them here.

    They never cease to amaze me, however; they are tireless in their attempts to bring new, innovative, and endlessly wonderful varieties of malware to the computer using public.

    I know eventually a true, almost impossible to counter exploit will be found by them, for Linux. They will probably employ it more for the purposes of proving that Linux is not immune to their wrath, than anything else.

    When the first Linux malware exploiting that flaw is written by them, I fully expect that the first sign of infection will be a Linux user hearing a wav file of Carrie Ann Moss being played on their machine.

    "Dodge this."

    1. Re:Those IRC dwelling 14 year olds... by flydpnkrtn · · Score: 3, Insightful

      I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.

      I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...

      --
      Here's to the crazy ones
  5. Re:C2, not C&C by Yvan256 · · Score: 3, Insightful

    And C2 can refer to a truckload of things, so that doesn't really help.