Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Groups Used To Control Botnets

Posted by Soulskill on from the easier-than-by-carrier-pigeon-in-most-cases dept.

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

6 of 63 comments (clear)

  1. So? by timeOday · · Score: 2, Insightful

    Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

    1. Re:So? by houstonbofh · · Score: 2, Insightful

      Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

      That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

      It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

  2. Why not P2P? by Jared555 · · Score: 2, Insightful

    What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

    For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

    Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

    1. Re:Why not P2P? by sakdoctor · · Score: 3, Insightful

      Storm and many others used P2P.
      Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

      They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

  3. Re:C2, not C&C by Yvan256 · · Score: 3, Insightful

    And C2 can refer to a truckload of things, so that doesn't really help.

  4. Re:Those IRC dwelling 14 year olds... by flydpnkrtn · · Score: 3, Insightful

    I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.

    I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...

    --
    Here's to the crazy ones