Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Google The Internet

Google Groups Used To Control Botnets 63

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"
This discussion has been archived. No new comments can be posted.

Google Groups Used To Control Botnets

Comments Filter:
  • Google Groups is just a way to Usenet

    • by athakur999 ( 44340 ) on Sunday September 13, 2009 @10:50AM (#29405047) Journal

      It's true Google Groups can be used to view Usenet groups, but you can also create groups that are completely independent of Usenet with it. That seems to be the case here.

      • local groups have always been available to usenet sites. this is just a web interface to groups on google's servers.

        • The Google specific groups have features that they don't provide for the Usenet feeds (member profiles, file sharing, etc.) It isn't the same as just local newsgroups.

          • I'm betting those are all built on top of whatever google uses for a news spool. Member profiles are part of the google login. File sharing is part of USENET, all they'd have to do is put a special signature in the file and store a base64 or similar attachment like everyone has been doing on USENET since whenever.

      • That makes sense, I also was confused about why they'd say Google Groups instead of Usenet at first. I forgot that Google allows creation of your own groups until I signed in to try figuring out how this could work.

  • by Anonymous Coward on Sunday September 13, 2009 @10:59AM (#29405093)

    Breaking news today:

    Free Web Service Abused, Professionals Shocked

    News at 11.

    • by tlhIngan ( 30335 )

      Free Web Service Abused, Professionals Shocked

      Except, there are two issues...

      1) A third party can shut you down. This happens quite often with the IRC-based botnets - the admins simply /akill anyone attempting to join the channel, or someone else can take over the botnet. Ditto Google - they can disable the group, or have it return NOP commands or someone else can post a command to self-destruct the botnet. That's why people tend to use P2P for botnets.

      2) A paper trail is left. Who was attacked and when, th

  • by Anonymous Coward

    Breaking news today:

    Windows computers still being infected via DLLs, professionals shocked.

    News at 11:05.

  • "oops, (Score:4, Funny)

    by martas ( 1439879 ) on Sunday September 13, 2009 @11:10AM (#29405147)
    it seems we just did some pretty serious evil..."
  • So? (Score:3, Insightful)

    by timeOday ( 582209 ) on Sunday September 13, 2009 @11:16AM (#29405173)
    Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?
    • Re: (Score:3, Insightful)

      by houstonbofh ( 602064 )

      Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

      That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

      It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

      • That's not new. Check out "The Rallying Problem" section from this 4-year old presentation [caida.org].
      • by 1u3hr ( 530656 )
        It is on a widely respected and not usually blocked third party service.

        No one who is s "serious" user of Usenet respects Google Groups' interface.

        They at least provide a useful search function, but even that has been rather fucked up for several months. But they are justly maligned for allowing spammers to use them to spam millions of messages into just about every newsgroup. They do nothing to screen their messages. They certainly have excellent spam detection in GMail, so dark conspiracy theories abo

        • Exactly. When my client allows, I don't even SEE messages from someone using Google Groups.

          I know it's a bit harsh to just block a provider yet... but a majority of the retarded shoe-spammers and such, all seem to come through Google Groups.

          That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

          • by 1u3hr ( 530656 )
            That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

            Anyone can set up a news server, but if they spew spam, they are quickly blacklisted by other providers, so their posts are dropped and the damage is limited. Sadly few have the guts to block Google.

    • Re:So? (Score:5, Funny)

      by sakdoctor ( 1087155 ) on Sunday September 13, 2009 @11:23AM (#29405207) Homepage

      -----BEGIN BOTNET COMMAND OVER /.-----
      Version: v1.0.0

      TEx2OTNZRm9 mb1l4Q1B5N25P b3dxSjRCMkhSS WhzdDFBbV Ezd2lGSWtY R1pEMWJ qUHdtcG9z cktLNHd5 cDBZeg==

      -----END BOTNET COMMAND OVER /.-----

      • Re:So? (Score:4, Interesting)

        by Anonymous Coward on Sunday September 13, 2009 @12:20PM (#29405535)

        On a more serious note, this demonstrates how easy it is to use any service for a botnet.
        As long as a service allows persistent user data, Slashdot, Google Customized Search, Photobucket, whatever, can all be used.
        Hell, the data doesn't even need to be persistent, ideally around a days age at the most, this allows each time region to access the site at different times so that it won't overload it or arouse suspicions by those sneaky little ninja sysadmins.

        Think about all those free websites out there, millions of them, and you can bet a good chunk of those are for botnets.

        Or how about MSN?
        Contacts of contacts of contacts, it can go millions of contacts deep, or a few hundred accounts used around the same geographical location at different times in the day.

        Of course, e-mail is still the best.
        Gmail is probably the best for this at the moment because of how much information that can be stored on a page at first glance. (which is why Gmail Drive is so nice)

        • Slashdot copypasta troll posts are actually botnet commands! It just blends in with the original trolls so that nobody expects a thing!
          • My god, the pieces of the puzzle are finally beginning to come together.

            everytime mr goatse appears, a botnet stands at attention. then, tubgirl releases the attack on the target.
            there has never been a more simple, disgusting, genius idea.

        • Hell, one could even use a legitimate Flickr photostream or whatever they are called, hiding encrypted commands within images [wikipedia.org]. This could be done in nearly any kind of file, really. Have fun detecting this, especially if the 'cover' is suitably advanced.

          (example, using a real social networking system legitimately, as well as for command/control. Or using an accomplice's account)

          All it takes is the magical combination of imagination and technical skill, as well as the desire to do something like run such a n

      • Re: (Score:1, Redundant)

        by selven ( 1556643 )
        What's it supposed to do, turn my computer into stooooooooooooooooooooooooooo[NO CARRIER]
      • Pfft. A weird hex command can't...


        bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel

    • We can destroy a botnet by shutting down google.
  • by HangingChad ( 677530 ) on Sunday September 13, 2009 @11:26AM (#29405229) Homepage

    It is distributed as a DLL...

    Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time.

    • People could make automated attacks against linux servers (there are probably some already) that detect if a site is running certain vulnerable scripts and run from there. Some issues could be solved easily by detecting paths on the web server, differences in distributions can be covered by trying the top 3-5 most popular paths (or more intelligent checks) , etc.

      One nice thing about running php as the user that owns the site is it makes it more difficult for someone to take out every site on a server.

  • Why not P2P? (Score:3, Insightful)

    by Jared555 ( 874152 ) on Sunday September 13, 2009 @11:39AM (#29405295)

    What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

    For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

    Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

    • Thank you, sir, for destroying what was left of the Internets.
    • Just Google it (Score:3, Informative)

      by Mathinker ( 909784 )

      We used to say "Engage brain before opening mouth" but nowadays the equivalent is "Check Google (or equivalent) before posting". P2P botnets have been around for a long time, and the recent Conficker worm uses P2P technology in quite an advanced way [wikipedia.org].

    • by gmuslera ( 3436 )
      Random ports and encryptions is what is usually easier to get blocked at your network perimeter. But is not so easy to block google at port 80, even with clear text content, probably someone in your internal network would want to use it for legitimate reasons.

      Would not be so surprised that RSSs or the pages itself from blogger (or other massive blog hosting sites) could be used for this, or ad hoc mailing lists. In fact, anything that could be put in internet by someone potentially anonymous and accessed au
    • Re:Why not P2P? (Score:4, Insightful)

      by sakdoctor ( 1087155 ) on Sunday September 13, 2009 @12:00PM (#29405405) Homepage

      Storm and many others used P2P.
      Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

      They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

    • by similar_name ( 1164087 ) on Sunday September 13, 2009 @02:06PM (#29406317)

      What would be so hard for botnet owners to make a peer to peer botnet rather than using servers?

      That would attract the wrath of the RIAA.

  • I've already drawn a portrait of them here [slashdot.org].

    They never cease to amaze me, however; they are tireless in their attempts to bring new, innovative, and endlessly wonderful varieties of malware to the computer using public.

    I know eventually a true, almost impossible to counter exploit will be found by them, for Linux. They will probably employ it more for the purposes of proving that Linux is not immune to their wrath, than anything else.

    When the first Linux malware exploiting that flaw is written by them, I fu

  • Breaking news: Software uses plain text messages as means of communication. News at 11.11
    • by Yvan256 ( 722131 )

      Breaking news: botnets use plain text messages and waste bytes and bytes of bandwidth instead of using binary to communicate between themselves. News at 9:00.

  • by ghmh ( 73679 ) on Sunday September 13, 2009 @12:57PM (#29405811)

    Who needs IRC or usenet or google groups when you can surf the google wave?

    Wonder whether this will get you access?

    Google Wave Sandbox Developer Signup [google.com]

    Name: xxxx
    What do you intend to build?

  • Pass good samaratin laws that allow researchers to nuke botnets. Or heck, let the FBI or NSA take care of that.

    I think that would be even more awesome than when Goonswarm took over BoB.

    • by Thuktun ( 221615 )

      Pass good samaratin [sic] laws that allow researchers to nuke botnets.

      Oh yeah, that will end well.

  • Wouldn't it be trivial for Google to kill it? Think about it, recently created groups devoid of any true conversational activity, being accessed by thousands of computers on a regular basis, probably all of them identifying themselves in a similar way (i.e. all giving the same user agent or no user agent, no referral, etc..). That would be fairly trivial for Google to identify the patterns and shut down the botnet groups. Might orphan quite a few botnets, and definitely hunt the botnets out of Google Groups

  • Never ever let any exe near your operating system if it has dll's that "need" to be installed. Windoze is not exactly idiot proof.

  • I KNEW IT! Google has become Skynet! Quick, someone knock up Mrs. Conner!
  • Whether its google news groups, or the ebay website or even facebook, you can use any tool , and any website that offers postinsg or forums or even blogs, to upload commands to your botnet, if the parser included in the botnet knows how to read it.
    The fact that they are trying to put google's good name on the line for this, as if it was google's fault shows how little they really know about these botnets, and this technology.

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun