- Tuesday, 9 February 2010
- INQ Mobile
- RSS
The public is wonderfully tolerant. It forgives everything except genius - Oscar Wilde
Trojan writers use Google Groups
GOOGLE GROUPS apparently is being used by Trojan writers to distribute commands, according to Symantec insecurity expert Gaven Gorman.
Apparently he was out in the wild exploring when one of his native bearers came back with the news that they had spotted a back door Trojan that the outfit is calling Trojan.Grups.
Hunting the Trojan back to its lair, they found that it was based in Google Groups newsgroups. While Trojan distribution via newsgroups is relatively common, this is the first instance of Trojan command and control use of newsgroups that Symantec has detected.
It is not the fault of Google Groups. Google is merely a neutral party, Gorman said. However since Google Groups is packed with features and versatility it is really easy for hackers to use.
The Trojan itself is quite simple. It is distributed as a DLL, and when executed logs onto a specific account.
Google's web-based newsgroups can store both static pages and postings. When logged in, the Trojan requests a page from a private newsgroup called "escape2sun".
The page contains the Trojan's orders. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded.
It all means that the attacker can issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time. Gorman says this is a jolly effective technique for anonymously issuing commands to malware infected systems.
However the method does have its downsides. All responses are posted so it is possible to track the activity of the Trojan in detail. It is also possible to see all of the 34 page modifications that have been made over the last ten months. µ
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
"out in the wild exploring when one of his native bearers came back with the news that they had spotted a back door Trojan that the outfit is calling Trojan.Grups"
The Trojan Group Ltd will be happy to provide punters with the Aladdin 0.35 Ltr "Leak Proof" Thermal Mug used for getting this Trojan on, and all the means to shoot the messenger.
"The fact that the private newsgroup containing the commands is in simplified Chinese and the fact the stored commands include references to the .tw domain suggest the author(s) designed it to operate in Taiwan".
I keep telling Evils:
1. Beware of Greeks bearing horse.
2. Remember the Paris Hilton can be effective without being flashy.
3. Turn off shockwave before it balloons out of control.
4. Avoid the spotted dick spoffskins.
5. Not every Tom, Dick and Harry's trowser browser will do.
6. Uhh, how you sayyy?, "hellaaa, hellaaa, hellaaa, hella-nista, butterface on the evils scale needs a jimmy hat!"
7. With a name like Smuckers that spreads upside down with New Easy to Squeeze ,... well you get the picture.
8. A place called Google Gropes? Well, what were you thinking?
9. Do know weevils.
10. Είναι ελληνικά σε μένα!