Botnet commands spread by Google Groups

A trojan targeting Google Groups turns newsgroups into a means for distributing command-and-control information for botnets.

“The trojan [dubbed Trojan.Grups] in this case is fairly simple,” wrote Gavin Gorman, security researcher for Symantec, in a post Friday on a Symantec blog. “But when executed, it logs onto a specific Google account and requests a page from a private newsgroup, which contains encrypted commands for the malware to carry out.”

In the past, Twitter has been used to deliver commands, by which an account was being used as a command-and-control hub to issue instructions to infected computers. Tweets coming from the malicious accounts were encoded and looked like a random combination of letters and numbers. But the tweets were actually being used to issue new instructions to bots.

“This is the first time a newsgroup being used as a command-and-control conduit,” Gerry Egan, director of Symantec Security Response, told SCMagazineUS.com Friday. “It establishes a two-way communications pipe, using a legitimate infrastructure.”

Experts believe this is just a test -- research-and-development for malware writers to see if the idea is feasible.

“Based on analysis of the source code, Symantec believes this may be a prototype implementation, testing the feasibility of web-based newsgroups as command-and-control structures,” Gorman wrote. “Analysis also indicates that this trojan is seeking to remain discreet and undetected, being used to subtly gather information and potentially determine future attack targets.”

The reason that this sort of attack is attractive to cybercriminals could be the difficultly in identifying and shutting down such sources, Egan said.

“In a sense, it makes it harder to detect,” he said.

A Google spokesperson could not immediately be reached for comment.