Trojan hides its brain in Google Groups

Criminals are moving to Web 2.0 as they look for ways to control their hacked computers

Virus writers keep getting sneakier. In an effort to evade detection, they've begun hiding their command and control instructions in legitimate Web 2.0 sites such as Google Groups and Twitter.

Recently, security vendor Symantec spotted a Trojan horse program that's been programmed to visit a private Google Groups newsgroup, called escape2sun, where it can download encrypted instructions or even software updates.

These "command and control" instructions are used by criminals to keep in touch with hacked PCs and update their malicious software.

Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with Symantec Security Response.

"We're seeing a trend toward using more mainstream social media-type interactions to hide command and control," he said.

The Google Groups system appears to be a prototype, but Egan expects the bad guys to increasingly use social media sites for this purpose, as security software becomes more effective at rooting out traditional command and control mechanisms.

"Malware authors are saying now that they're on to [our] techniques, let's try something different," Egan said.

Today most criminals communicate with the machines they've hacked via IRC (Internet Relay Chat) servers, or by placing commands on obscure, hard-to-find Web sites.

As system administrators are getting better at spotting and blocking these communications, the bad guys are "trying to hide these command and control messages inside legitimate traffic, so the presence of the traffic in and of itself doesn't raise a red flag," Egan said.

A system administrator can block access to IRC pretty easily, but blocking Twitter or Google is another matter altogether.

The Google Groups Trojan appears to be Taiwanese in origin and was probably used to quietly gather information for future attacks.

According to the data on Google Groups, the Trojan has not spread widely since it was created in November 2008. "Such a Trojan could potentially have been developed for targeted corporate espionage where anonymity and discretion are priorities," Symantec said in a Friday blog posting.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Topics: Google, Google Groups, trojan, malware
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?