Google Groups Used To Control Botnets

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

Re:Google Groups is just a way to Usenet

[athakur999]

It's true Google Groups can be used to view Usenet groups, but you can also create groups that are completely independent of Usenet with it. That seems to be the case here.

This just in!

Breaking news today:

Free Web Service Abused, Professionals Shocked

News at 11.

This just in!

Breaking news today:

Windows computers still being infected via DLLs, professionals shocked.

News at 11:05.

"oops,

[martas]

it seems we just did some pretty serious evil..."

So?

[timeOday]

Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

Re:So?

[houstonbofh]

Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

Re:So?

[sakdoctor]

-----BEGIN BOTNET COMMAND OVER /.-----
Version: v1.0.0

TEx2OTNZRm9 mb1l4Q1B5N25P b3dxSjRCMkhSS WhzdDFBbV Ezd2lGSWtY R1pEMWJ qUHdtcG9z cktLNHd5 cDBZeg==

-----END BOTNET COMMAND OVER /.-----

Re:So?

On a more serious note, this demonstrates how easy it is to use any service for a botnet.
As long as a service allows persistent user data, Slashdot, Google Customized Search, Photobucket, whatever, can all be used.
Hell, the data doesn't even need to be persistent, ideally around a days age at the most, this allows each time region to access the site at different times so that it won't overload it or arouse suspicions by those sneaky little ninja sysadmins.

Think about all those free websites out there, millions of them, and you can bet a good chunk of those are for botnets.

Or how about MSN?
Contacts of contacts of contacts, it can go millions of contacts deep, or a few hundred accounts used around the same geographical location at different times in the day.

Of course, e-mail is still the best.
Gmail is probably the best for this at the moment because of how much information that can be stored on a page at first glance. (which is why Gmail Drive is so nice)

Another sign Linux just isn't ready for prime time

[HangingChad]

It is distributed as a DLL...

Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time.

Why not P2P?

[Jared555]

What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

Re:Why not P2P?

[sakdoctor]

Storm and many others used P2P.
Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

Re:Why not P2P?

[similar_name]

What would be so hard for botnet owners to make a peer to peer botnet rather than using servers?

That would attract the wrath of the RIAA.

Just Google it

[Mathinker]

We used to say "Engage brain before opening mouth" but nowadays the equivalent is "Check Google (or equivalent) before posting". P2P botnets have been around for a long time, and the recent Conficker worm uses P2P technology in quite an advanced way.

Next up: Botnets surfing the google wave

[ghmh]

Who needs IRC or usenet or google groups when you can surf the google wave?

Wonder whether this will get you access?

Google Wave Sandbox Developer Signup

Name: xxxx
....
What do you intend to build?
Botnet

Re:C2, not C&C

[Yvan256]

And C2 can refer to a truckload of things, so that doesn't really help.

Re:Those IRC dwelling 14 year olds...

[flydpnkrtn]

I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.

I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...

That explains it!

[GameboyRMH]

Slashdot copypasta troll posts are actually botnet commands! It just blends in with the original trolls so that nobody expects a thing!