Google Groups Used To Control Botnets 63
oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"
Google Groups is just a way to Usenet (Score:2, Insightful)
Google Groups is just a way to Usenet
Re:Google Groups is just a way to Usenet (Score:5, Informative)
It's true Google Groups can be used to view Usenet groups, but you can also create groups that are completely independent of Usenet with it. That seems to be the case here.
Re: (Score:2)
local groups have always been available to usenet sites. this is just a web interface to groups on google's servers.
Re: (Score:2)
The Google specific groups have features that they don't provide for the Usenet feeds (member profiles, file sharing, etc.) It isn't the same as just local newsgroups.
Re: (Score:2)
I'm betting those are all built on top of whatever google uses for a news spool. Member profiles are part of the google login. File sharing is part of USENET, all they'd have to do is put a special signature in the file and store a base64 or similar attachment like everyone has been doing on USENET since whenever.
Re: (Score:2)
That makes sense, I also was confused about why they'd say Google Groups instead of Usenet at first. I forgot that Google allows creation of your own groups until I signed in to try figuring out how this could work.
This just in! (Score:5, Funny)
Breaking news today:
Free Web Service Abused, Professionals Shocked
News at 11.
Re: (Score:2)
Except, there are two issues...
1) A third party can shut you down. This happens quite often with the IRC-based botnets - the admins simply /akill anyone attempting to join the channel, or someone else can take over the botnet. Ditto Google - they can disable the group, or have it return NOP commands or someone else can post a command to self-destruct the botnet. That's why people tend to use P2P for botnets.
2) A paper trail is left. Who was attacked and when, th
This just in! (Score:2, Funny)
Breaking news today:
Windows computers still being infected via DLLs, professionals shocked.
News at 11:05.
Re: (Score:1)
"oops, (Score:4, Funny)
So? (Score:3, Insightful)
Re: (Score:3, Insightful)
Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?
That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.
It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.
Re: (Score:2)
Re: (Score:2)
No one who is s "serious" user of Usenet respects Google Groups' interface.
They at least provide a useful search function, but even that has been rather fucked up for several months. But they are justly maligned for allowing spammers to use them to spam millions of messages into just about every newsgroup. They do nothing to screen their messages. They certainly have excellent spam detection in GMail, so dark conspiracy theories abo
Re: (Score:2)
Exactly. When my client allows, I don't even SEE messages from someone using Google Groups.
I know it's a bit harsh to just block a provider yet... but a majority of the retarded shoe-spammers and such, all seem to come through Google Groups.
That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.
Re: (Score:2)
Anyone can set up a news server, but if they spew spam, they are quickly blacklisted by other providers, so their posts are dropped and the damage is limited. Sadly few have the guts to block Google.
Re:So? (Score:5, Funny)
-----BEGIN BOTNET COMMAND OVER /.-----
Version: v1.0.0
TEx2OTNZRm9 mb1l4Q1B5N25P b3dxSjRCMkhSS WhzdDFBbV Ezd2lGSWtY R1pEMWJ qUHdtcG9z cktLNHd5 cDBZeg==
-----END BOTNET COMMAND OVER /.-----
Re:So? (Score:4, Interesting)
On a more serious note, this demonstrates how easy it is to use any service for a botnet.
As long as a service allows persistent user data, Slashdot, Google Customized Search, Photobucket, whatever, can all be used.
Hell, the data doesn't even need to be persistent, ideally around a days age at the most, this allows each time region to access the site at different times so that it won't overload it or arouse suspicions by those sneaky little ninja sysadmins.
Think about all those free websites out there, millions of them, and you can bet a good chunk of those are for botnets.
Or how about MSN?
Contacts of contacts of contacts, it can go millions of contacts deep, or a few hundred accounts used around the same geographical location at different times in the day.
Of course, e-mail is still the best.
Gmail is probably the best for this at the moment because of how much information that can be stored on a page at first glance. (which is why Gmail Drive is so nice)
That explains it! (Score:3)
Re: (Score:2)
My god, the pieces of the puzzle are finally beginning to come together.
everytime mr goatse appears, a botnet stands at attention. then, tubgirl releases the attack on the target.
there has never been a more simple, disgusting, genius idea.
Re: (Score:2)
Hell, one could even use a legitimate Flickr photostream or whatever they are called, hiding encrypted commands within images [wikipedia.org]. This could be done in nearly any kind of file, really. Have fun detecting this, especially if the 'cover' is suitably advanced.
(example, using a real social networking system legitimately, as well as for command/control. Or using an accomplice's account)
All it takes is the magical combination of imagination and technical skill, as well as the desire to do something like run such a n
Re: (Score:1, Redundant)
Re: (Score:2)
Pfft. A weird hex command can't...
uh...
bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel
Re: (Score:1)
Another sign Linux just isn't ready for prime time (Score:5, Funny)
It is distributed as a DLL...
Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time.
Re: (Score:2)
People could make automated attacks against linux servers (there are probably some already) that detect if a site is running certain vulnerable scripts and run from there. Some issues could be solved easily by detecting paths on the web server, differences in distributions can be covered by trying the top 3-5 most popular paths (or more intelligent checks) , etc.
One nice thing about running php as the user that owns the site is it makes it more difficult for someone to take out every site on a server.
Re:C2, not C&C (Score:4, Insightful)
And C2 [wikipedia.org] can refer to a truckload of things, so that doesn't really help.
Re: (Score:2)
And C2 [wikipedia.org] can refer to a truckload of things, so that doesn't really help.
For simplicity, let's just abbreviate it as CLOWN and watch the novices try to puzzle it out.
Why not P2P? (Score:3, Insightful)
What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.
For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.
Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.
Re: (Score:1)
Re: (Score:2)
Indeed. I'm moving to the intarweb right now.
Just Google it (Score:3, Informative)
We used to say "Engage brain before opening mouth" but nowadays the equivalent is "Check Google (or equivalent) before posting". P2P botnets have been around for a long time, and the recent Conficker worm uses P2P technology in quite an advanced way [wikipedia.org].
Re: (Score:2)
Would not be so surprised that RSSs or the pages itself from blogger (or other massive blog hosting sites) could be used for this, or ad hoc mailing lists. In fact, anything that could be put in internet by someone potentially anonymous and accessed au
Re:Why not P2P? (Score:4, Insightful)
Storm and many others used P2P.
Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.
They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.
Re:Why not P2P? (Score:5, Funny)
What would be so hard for botnet owners to make a peer to peer botnet rather than using servers?
That would attract the wrath of the RIAA.
Those IRC dwelling 14 year olds... (Score:2, Insightful)
I've already drawn a portrait of them here [slashdot.org].
They never cease to amaze me, however; they are tireless in their attempts to bring new, innovative, and endlessly wonderful varieties of malware to the computer using public.
I know eventually a true, almost impossible to counter exploit will be found by them, for Linux. They will probably employ it more for the purposes of proving that Linux is not immune to their wrath, than anything else.
When the first Linux malware exploiting that flaw is written by them, I fu
Re: (Score:1, Troll)
Good thing that wav is a Microsoft file format and hence cannot be played under Linux. /sarcasm
Re:Those IRC dwelling 14 year olds... (Score:4, Insightful)
I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.
I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...
This just in, too! (Score:2)
Re: (Score:2)
Breaking news: botnets use plain text messages and waste bytes and bytes of bandwidth instead of using binary to communicate between themselves. News at 9:00.
Next up: Botnets surfing the google wave (Score:5, Funny)
Who needs IRC or usenet or google groups when you can surf the google wave?
Wonder whether this will get you access?
Google Wave Sandbox Developer Signup [google.com]
Name: xxxx
....
What do you intend to build?
Botnet
New solution (Score:2)
Pass good samaratin laws that allow researchers to nuke botnets. Or heck, let the FBI or NSA take care of that.
I think that would be even more awesome than when Goonswarm took over BoB.
Re: (Score:2)
Pass good samaratin [sic] laws that allow researchers to nuke botnets.
Oh yeah, that will end well.
Trivial solution (Score:2)
Wouldn't it be trivial for Google to kill it? Think about it, recently created groups devoid of any true conversational activity, being accessed by thousands of computers on a regular basis, probably all of them identifying themselves in a similar way (i.e. all giving the same user agent or no user agent, no referral, etc..). That would be fairly trivial for Google to identify the patterns and shut down the botnet groups. Might orphan quite a few botnets, and definitely hunt the botnets out of Google Groups
DLL's (Score:1)
Never ever let any exe near your operating system if it has dll's that "need" to be installed. Windoze is not exactly idiot proof.
OH GOD (Score:1)
Finally a use for twitter (Score:1)
Non news here...move along (Score:2)
Whether its google news groups, or the ebay website or even facebook, you can use any tool , and any website that offers postinsg or forums or even blogs, to upload commands to your botnet, if the parser included in the botnet knows how to read it.
The fact that they are trying to put google's good name on the line for this, as if it was google's fault shows how little they really know about these botnets, and this technology.