Google Groups Newsgroup Exploited to Send Botnet Commands

Symantec has identified a Trojan, which by attacking Google Groups, converts its newsgroup in such a way that it can be used to command-and-control (C&C) data for bot-infected networks.

In a blog post, Symantec security researcher 'Gavin Gorman' wrote that the Trojan named 'Trojan.Grups' used for the particular task was fairly simple. However, once executed, it would try to access a particular account of Google and ask for a private newsgroup to provide a page consisting of encrypted instructions that the Trojan would execute, said the researcher and published by SCMagazine on September 14, 2009.

The attack notably utilizes the RC4 stream-cipher for encrypting messages that are sent-and-received, according to the security specialists at Symantec. They also say that while it is conceptually simple to encrypt communication, the task suggests attackers' attempt to adopt additional measures for escaping detection and to avoid another rogue party that could take over their botnet.

However, the technique has certain disadvantages for the attacker. For instance - all responses are saved in the form of a posting within the newsgroup and this arrangement facilitates in backtracking the activity of the Trojan. Gorman speculated that considering the Trojan's comparatively low activity - only 3,000 newsgroup posts from November 2008 till date have been reported. A scrutiny of its script suggests that the technique might be a form of prototype implementation for testing the newsgroups like command-and-control channels, as reported by eWeek on September 11, 2009.

Additionally, the security specialists think the attack is from Taiwan as the vernacular in the newsgroup is Chinese and the commands have many recommendations of .tw domains.

Earlier, Twitter was utilized for delivering commands in a similar fashion, whereby one of its accounts had been turned into a C&C center that sent instructions to infected PCs. While the tweets from the compromised account were encrypted with random numbers and letters, they actually instructed bot-infected computers.

Gerry Egan, Director of Symantec Security Response, said that the use of a newsgroup as a C&C medium was unprecedented. He also added that it allowed a two-way interaction via a legitimate infrastructure, as reported by SCMagazine on September 14, 2009.

Related article: Google Rectifies Gmail flaw in Three Days

» SPAMfighter News - 10/2/2009