Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Groups Used To Control Botnets

Soulskill posted about 5 years ago | from the easier-than-by-carrier-pigeon-in-most-cases dept.

Security 63

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

cancel ×

63 comments

Sorry! There are no comments related to the filter you selected.

Google Groups is just a way to Usenet (1, Insightful)

hey (83763) | about 5 years ago | (#29405023)

Google Groups is just a way to Usenet

Re:Google Groups is just a way to Usenet (5, Informative)

athakur999 (44340) | about 5 years ago | (#29405047)

It's true Google Groups can be used to view Usenet groups, but you can also create groups that are completely independent of Usenet with it. That seems to be the case here.

Re:Google Groups is just a way to Usenet (1)

drinkypoo (153816) | about 5 years ago | (#29405961)

local groups have always been available to usenet sites. this is just a web interface to groups on google's servers.

Re:Google Groups is just a way to Usenet (1)

wiredlogic (135348) | about 5 years ago | (#29406487)

The Google specific groups have features that they don't provide for the Usenet feeds (member profiles, file sharing, etc.) It isn't the same as just local newsgroups.

Re:Google Groups is just a way to Usenet (1)

drinkypoo (153816) | about 5 years ago | (#29408729)

I'm betting those are all built on top of whatever google uses for a news spool. Member profiles are part of the google login. File sharing is part of USENET, all they'd have to do is put a special signature in the file and store a base64 or similar attachment like everyone has been doing on USENET since whenever.

Re:Google Groups is just a way to Usenet (1)

davidphogan74 (623610) | about 5 years ago | (#29409227)

That makes sense, I also was confused about why they'd say Google Groups instead of Usenet at first. I forgot that Google allows creation of your own groups until I signed in to try figuring out how this could work.

Re:Google Groups is just a way to Usenet (0)

Anonymous Coward | about 5 years ago | (#29405233)

No it isn't. You can create new groups and private groups that have nothing to do with Usenet.

This just in! (5, Funny)

Anonymous Coward | about 5 years ago | (#29405093)

Breaking news today:

Free Web Service Abused, Professionals Shocked

News at 11.

Re:This just in! (0)

Anonymous Coward | about 5 years ago | (#29405423)

Breaking News

Today Free Web Service

Abused Professionals

Shocked News at 11.

And somehow still makes sense..

Re:This just in! (1)

tlhIngan (30335) | about 5 years ago | (#29413757)

Free Web Service Abused, Professionals Shocked

Except, there are two issues...

1) A third party can shut you down. This happens quite often with the IRC-based botnets - the admins simply /akill anyone attempting to join the channel, or someone else can take over the botnet. Ditto Google - they can disable the group, or have it return NOP commands or someone else can post a command to self-destruct the botnet. That's why people tend to use P2P for botnets.

2) A paper trail is left. Who was attacked and when, the commands issued, etc., are all logged and kept by the third party. Even using a proxy, it seems like a really bad idea when someone is logging everything. Heck, imagine what Google could do with logs of people who accessed that newsgroup.

This just in! (2, Funny)

Anonymous Coward | about 5 years ago | (#29405125)

Breaking news today:

Windows computers still being infected via DLLs, professionals shocked.

News at 11:05.

Re:This just in! (0)

Anonymous Coward | about 5 years ago | (#29406183)

You do understand that the actual malware is being distributed as dll, nothing is being infected "via DLLs".

Re:This just in! (1)

uninformedLuddite (1334899) | about 5 years ago | (#29411615)

except of course the computer

Re:This just in! (0)

Anonymous Coward | about 5 years ago | (#29411241)

Win 7 too blue screens... professionals shocked..

"oops, (3, Funny)

martas (1439879) | about 5 years ago | (#29405147)

it seems we just did some pretty serious evil..."

So? (2, Insightful)

timeOday (582209) | about 5 years ago | (#29405173)

Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

Re:So? (2, Insightful)

houstonbofh (602064) | about 5 years ago | (#29405201)

Aren't all botnets remote control? I don't see how it matters what network protocol is used. What am I missing?

That instead of being controlled by a traceable PC owned by the hacker, or an infected PC that may be blocked, cleaned, removed, or traced, It is on a widely respected and not usually blocked third party service.

It is similar to the improperly named "Linux Botnet" of actual, production websites yesterday. But where yesterday Linux haters were laughing, today it will be Google haters.

Re:So? (1)

timeOday (582209) | about 5 years ago | (#29405525)

That's not new. Check out "The Rallying Problem" section from this 4-year old presentation [caida.org] .

Re:So? (1)

1u3hr (530656) | about 5 years ago | (#29406777)

It is on a widely respected and not usually blocked third party service.

No one who is s "serious" user of Usenet respects Google Groups' interface.

They at least provide a useful search function, but even that has been rather fucked up for several months. But they are justly maligned for allowing spammers to use them to spam millions of messages into just about every newsgroup. They do nothing to screen their messages. They certainly have excellent spam detection in GMail, so dark conspiracy theories abound of how Google is swamping Usenet with spam to make their own groups a "safe haven". But I think it's just they can't monetise it so they don't give a fuck either way. Meanwhile mabny users do killfile messages sent from Google Groups, and some news hosts do as well at a server level.

Re:So? (1)

X0563511 (793323) | about 5 years ago | (#29410199)

Exactly. When my client allows, I don't even SEE messages from someone using Google Groups.

I know it's a bit harsh to just block a provider yet... but a majority of the retarded shoe-spammers and such, all seem to come through Google Groups.

That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

Re:So? (1)

1u3hr (530656) | about 5 years ago | (#29410765)

That said, if GG wasn't the low-hanging-fruit, I'm sure some other provider would be victimized by the spammers.

Anyone can set up a news server, but if they spew spam, they are quickly blacklisted by other providers, so their posts are dropped and the damage is limited. Sadly few have the guts to block Google.

Re:So? (5, Funny)

sakdoctor (1087155) | about 5 years ago | (#29405207)

-----BEGIN BOTNET COMMAND OVER /.-----
Version: v1.0.0

TEx2OTNZRm9 mb1l4Q1B5N25P b3dxSjRCMkhSS WhzdDFBbV Ezd2lGSWtY R1pEMWJ qUHdtcG9z cktLNHd5 cDBZeg==

-----END BOTNET COMMAND OVER /.-----

Re:So? (4, Interesting)

Anonymous Coward | about 5 years ago | (#29405535)

On a more serious note, this demonstrates how easy it is to use any service for a botnet.
As long as a service allows persistent user data, Slashdot, Google Customized Search, Photobucket, whatever, can all be used.
Hell, the data doesn't even need to be persistent, ideally around a days age at the most, this allows each time region to access the site at different times so that it won't overload it or arouse suspicions by those sneaky little ninja sysadmins.

Think about all those free websites out there, millions of them, and you can bet a good chunk of those are for botnets.

Or how about MSN?
Contacts of contacts of contacts, it can go millions of contacts deep, or a few hundred accounts used around the same geographical location at different times in the day.

Of course, e-mail is still the best.
Gmail is probably the best for this at the moment because of how much information that can be stored on a page at first glance. (which is why Gmail Drive is so nice)

That explains it! (2)

GameboyRMH (1153867) | about 5 years ago | (#29406455)

Slashdot copypasta troll posts are actually botnet commands! It just blends in with the original trolls so that nobody expects a thing!

Re:That explains it! (1)

djdavetrouble (442175) | about 5 years ago | (#29406561)

My god, the pieces of the puzzle are finally beginning to come together.

everytime mr goatse appears, a botnet stands at attention. then, tubgirl releases the attack on the target.
there has never been a more simple, disgusting, genius idea.

Re:So? (1)

X0563511 (793323) | about 5 years ago | (#29410225)

Hell, one could even use a legitimate Flickr photostream or whatever they are called, hiding encrypted commands within images [wikipedia.org] . This could be done in nearly any kind of file, really. Have fun detecting this, especially if the 'cover' is suitably advanced.

(example, using a real social networking system legitimately, as well as for command/control. Or using an accomplice's account)

All it takes is the magical combination of imagination and technical skill, as well as the desire to do something like run such a network.

Re:So? (0, Redundant)

selven (1556643) | about 5 years ago | (#29405599)

What's it supposed to do, turn my computer into stooooooooooooooooooooooooooo[NO CARRIER]

Re:So? (1)

Beardo the Bearded (321478) | about 5 years ago | (#29407349)

Pfft. A weird hex command can't...

uh...

bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel bah bol bla wa glo wab bla fwa snu wel

Re:So? (1)

slacker22 (1614751) | about 5 years ago | (#29405275)

We can destroy a botnet by shutting down google.

5...4...3...2...1... (0)

Anonymous Coward | about 5 years ago | (#29405191)

And now they WON'T use google groups.

Time to use something else unnoticed.

Another sign Linux just isn't ready for prime time (4, Funny)

HangingChad (677530) | about 5 years ago | (#29405229)

It is distributed as a DLL...

Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time.

Re:Another sign Linux just isn't ready for prime t (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29405307)

Ah yes, the proverbial Linsux reference in a thread totally unrelated to Linsux. There must be some law of nature, similar to Godwin's law, that states that Linsux will eventually be mentioned in an unrelated thread, usually in a veiled poke at Windows.

Re:Another sign Linux just isn't ready for prime t (1)

Jared555 (874152) | about 5 years ago | (#29405317)

People could make automated attacks against linux servers (there are probably some already) that detect if a site is running certain vulnerable scripts and run from there. Some issues could be solved easily by detecting paths on the web server, differences in distributions can be covered by trying the top 3-5 most popular paths (or more intelligent checks) , etc.

One nice thing about running php as the user that owns the site is it makes it more difficult for someone to take out every site on a server.

Re:Another sign Linux just isn't ready for prime t (0)

Anonymous Coward | about 5 years ago | (#29406119)

Yes, but this won't bring about the year of linux on the DESKTOP.

Or are you suggesting all home users in need of this feature run a web server? Next thing you'll tell me they need to recompile the kernel to get a rootkit working.

First botnet of Linux Web Servers discovered (0)

Anonymous Coward | about 5 years ago | (#29485995)

"Until Linux can run botnet dll's and find a place among p0wn3d hacker machines, it's going to remain a hobbyist toy. It's so wasteful and inefficient to hack computers one at a time." - by HangingChad (677530) on Sunday September 13, @11:26AM (#29405229) Homepage

It's already happened, per my subject-line above, & this article from this very website (only a few days back, no less):

----

First Botnet of Linux Web Servers Discovered:

http://linux.slashdot.org/article.pl?sid=09/09/12/1413246 [slashdot.org]

----

So much for that!

APK

C2, not C&C (0)

Anonymous Coward | about 5 years ago | (#29405283)

The common abbreviation is C2, not C&C. C&C in this community stands for Command & Conquer :).

Re:C2, not C&C (3, Insightful)

Yvan256 (722131) | about 5 years ago | (#29405873)

And C2 [wikipedia.org] can refer to a truckload of things, so that doesn't really help.

Re:C2, not C&C (1)

Wuhao (471511) | about 5 years ago | (#29408017)

And C2 [wikipedia.org] can refer to a truckload of things, so that doesn't really help.

For simplicity, let's just abbreviate it as CLOWN and watch the novices try to puzzle it out.

Why not P2P? (2, Insightful)

Jared555 (874152) | about 5 years ago | (#29405295)

What would be so hard for botnet owners to make a peer to peer botnet rather than using servers? When a new machine is infected just send it a small list of hosts. Once connected distribute the full list of hosts. Most home networks do not secure upnp so inbound connections are not an issue.

For networks that do not allow firewall reconfiguration.... Infect via removable media or email and then distribute the commands internally through the network until more machines can make direct outbound connections.

Use random ports and encryption to make it harder to track and then use private/public keys so someone can't just send a shutdown command out over the network.

Re:Why not P2P? (1)

dazjorz (1312303) | about 5 years ago | (#29405351)

Thank you, sir, for destroying what was left of the Internets.

Re:Why not P2P? (1)

Yvan256 (722131) | about 5 years ago | (#29405879)

Indeed. I'm moving to the intarweb right now.

Just Google it (3, Informative)

Mathinker (909784) | about 5 years ago | (#29405357)

We used to say "Engage brain before opening mouth" but nowadays the equivalent is "Check Google (or equivalent) before posting". P2P botnets have been around for a long time, and the recent Conficker worm uses P2P technology in quite an advanced way [wikipedia.org] .

Re:Why not P2P? (1)

gmuslera (3436) | about 5 years ago | (#29405387)

Random ports and encryptions is what is usually easier to get blocked at your network perimeter. But is not so easy to block google at port 80, even with clear text content, probably someone in your internal network would want to use it for legitimate reasons.

Would not be so surprised that RSSs or the pages itself from blogger (or other massive blog hosting sites) could be used for this, or ad hoc mailing lists. In fact, anything that could be put in internet by someone potentially anonymous and accessed automatically by thousands/millons of hosts without raising normal alarms, and better if is not limited to one easily blocked ip address,

Re:Why not P2P? (3, Insightful)

sakdoctor (1087155) | about 5 years ago | (#29405405)

Storm and many others used P2P.
Using a distributed hash table, each node wouldn't need a FULL list of nodes; often just O(log(n)) nodes.

They have used encrypted+signed commands since forever, port knocking, basically everything in the field has been incorporated into making a better, more robust bot.

Re:Why not P2P? (4, Funny)

similar_name (1164087) | about 5 years ago | (#29406317)

What would be so hard for botnet owners to make a peer to peer botnet rather than using servers?

That would attract the wrath of the RIAA.

Google's evil and this proves it!!11!1! (0)

Anonymous Coward | about 5 years ago | (#29405321)

'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. [...]'

Nope, sorry, it's already ingrained into my head. I blindly hate Google, so here's another reason for me to think they're evil. I literally feed off of irony, especially the "Google is teh eval!11!!", thus I desperately search it out in any way, shape, or form, even if it's from badly-thought out arguments and conclusions.

Google is evil because they make and control botnets! IRC isn't evil, though, because that's just an innocent neutral communication method that evil people (liek Google) have co-opted into a botnet control mechanism.

Those IRC dwelling 14 year olds... (1, Insightful)

petrus4 (213815) | about 5 years ago | (#29405433)

I've already drawn a portrait of them here [slashdot.org] .

They never cease to amaze me, however; they are tireless in their attempts to bring new, innovative, and endlessly wonderful varieties of malware to the computer using public.

I know eventually a true, almost impossible to counter exploit will be found by them, for Linux. They will probably employ it more for the purposes of proving that Linux is not immune to their wrath, than anything else.

When the first Linux malware exploiting that flaw is written by them, I fully expect that the first sign of infection will be a Linux user hearing a wav file of Carrie Ann Moss being played on their machine.

"Dodge this."

Re:Those IRC dwelling 14 year olds... (0, Troll)

Yvan256 (722131) | about 5 years ago | (#29405899)

Good thing that wav is a Microsoft file format and hence cannot be played under Linux. /sarcasm

Re:Those IRC dwelling 14 year olds... (3, Insightful)

flydpnkrtn (114575) | about 5 years ago | (#29406097)

I know eventually a true, almost impossible to counter exploit will be found by them, for Linux.

I think you lay the melodrama on a bit too thick... there's not really such a thing as an "impossible to counter" exploit...

Re:Those IRC dwelling 14 year olds... (0)

Anonymous Coward | about 5 years ago | (#29407187)

Yes, it exists. It's called "user".

Re:Those IRC dwelling 14 year olds... (0)

Anonymous Coward | about 5 years ago | (#29406595)

When the first Linux malware exploiting that flaw is written by them, I fully expect that the first sign of infection will be a Linux user hearing a wav file of Carrie Ann Moss being played on their machine.

Good news! Your sound system works under Linux!

Now if we could convince them to infect the wireless networking!

This just in, too! (1)

tenco (773732) | about 5 years ago | (#29405457)

Breaking news: Software uses plain text messages as means of communication. News at 11.11

Re:This just in, too! (1)

Yvan256 (722131) | about 5 years ago | (#29405911)

Breaking news: botnets use plain text messages and waste bytes and bytes of bandwidth instead of using binary to communicate between themselves. News at 9:00.

Next up: Botnets surfing the google wave (5, Funny)

ghmh (73679) | about 5 years ago | (#29405811)

Who needs IRC or usenet or google groups when you can surf the google wave?

Wonder whether this will get you access?

Google Wave Sandbox Developer Signup [google.com]

Name: xxxx
....
What do you intend to build?
Botnet

New solution (1)

shentino (1139071) | about 5 years ago | (#29406103)

Pass good samaratin laws that allow researchers to nuke botnets. Or heck, let the FBI or NSA take care of that.

I think that would be even more awesome than when Goonswarm took over BoB.

Re:New solution (1)

Thuktun (221615) | about 5 years ago | (#29419785)

Pass good samaratin [sic] laws that allow researchers to nuke botnets.

Oh yeah, that will end well.

Trivial solution (1)

4D6963 (933028) | about 5 years ago | (#29406505)

Wouldn't it be trivial for Google to kill it? Think about it, recently created groups devoid of any true conversational activity, being accessed by thousands of computers on a regular basis, probably all of them identifying themselves in a similar way (i.e. all giving the same user agent or no user agent, no referral, etc..). That would be fairly trivial for Google to identify the patterns and shut down the botnet groups. Might orphan quite a few botnets, and definitely hunt the botnets out of Google Groups.

DLL's (1)

Gruff1002 (717818) | about 5 years ago | (#29409581)

Never ever let any exe near your operating system if it has dll's that "need" to be installed. Windoze is not exactly idiot proof.

OH GOD (1)

kothmac (1609535) | about 5 years ago | (#29409839)

I KNEW IT! Google has become Skynet! Quick, someone knock up Mrs. Conner!

Ultrasurf and GIFC did the same thing (0)

Anonymous Coward | about 5 years ago | (#29410449)

According to researchers at this year's BlackHat in Las Vegas, the GIFC has released malware (pretending to be good software) that get's it "updates" through Google Groups and Reader. This is not shocking that spyware/malware/viruses/etc get updates from a major provider such as Google. Google can handle the traffic, and is mirrored all over the world, making it the perfect candidate for this type of abuse.

Finally a use for twitter (1)

uninformedLuddite (1334899) | about 5 years ago | (#29411605)

hooray

Rest Easy Everyone (0)

Anonymous Coward | about 5 years ago | (#29411641)

'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

Google Groups is declared NOT EVIL!

Non news here...move along (1)

hesaigo999ca (786966) | about 5 years ago | (#29412389)

Whether its google news groups, or the ebay website or even facebook, you can use any tool , and any website that offers postinsg or forums or even blogs, to upload commands to your botnet, if the parser included in the botnet knows how to read it.
The fact that they are trying to put google's good name on the line for this, as if it was google's fault shows how little they really know about these botnets, and this technology.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?