September 14, 2009, 7:42 AM — We’ve seen this happen with Twitter, now it appears that botnet writers are using Google Groups newsgroups as a base for controlling infected PCs.
Hackers need to be able to quickly and easily spread commands to their botnets, or networks of compromised PCs that they can gain control over to spread spam and malware, and have recently turned to social networking sites such as Twitter to distribute their instructions.
Recent efforts to hide botnet command and control communications in mainstream places have a new back-door Trojan called Trojan Grups (sic) using Google Groups to command and control botnets, according to a post (http://www.symantec.com/connect/blogs/google-groups-trojan) on Symantec’s security blog. Symantec notes that distributing the malware that infects PCs and turns them into bots through news groups – so that visitors to those groups become infected -- is common, but this is the first instance the security company knows of where hackers are spreading their commands through a news group.
This Trojan is distributed as a DLL and logs onto a specific Google Groups account. Once logged on, it requests a page from a private newsgroup that contains commands for the compromised PC to carry out, and can also post responses. All communication is encrypted.
As savvy as this form of command and control may seem, there are some downsides -- because the commands to botnets are stored as postings to the newsgroup, researchers can read them and decipher what type of action the controller is telling the bots to take. With Trojan Grups, it appears the botnet is used for reconnaissance and targeted attacks.
Also because Google Groups includes version controlling, communication and the growth of the botnet over time can also be tracked. This Trojan was released in November of 2008, says Symantec, and peaked in activity during February.
Do you tweet? Follow me on Twitter here.
