Google Groups Trojan

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected.

It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.

The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:

Escape[REMOVED]@gmail.com
h0[REMOVED]t

The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.
 

Figure 1: Posts from infected computers

It is an effective technique for anonymously issuing commands; however, it does have some negative aspects for the attacker. Since every response is stored as a posting in the newsgroup, it was possible for Symantec to track the activity of the Trojan in detail. An even more useful feature of the newsgroup is the version control incorporated into pages. Approximately 34 page modifications can be observed over a ten-month period. By decrypting the recorded page edits, the evolution of commands over time can be clearly observed.

Figure 2: Decrypted command

The commands imply that the Trojan is used for reconnaissance and targeted attacks. For example, in figure 2, the command determines the local IP addresses, scans the local domain, and then pings a popular search engine in Taiwan. The response can be seen in figure 3. More targeted commands may then be issued. Subsequent commands observed used the net user facility to add new users and give them administrator rights. Commands are issued to download and execute files—the files themselves are also encrypted using the same encryption algorithm and key as used in posts.

 
Figure 3: Decrypted response

In addition to the version control, the newsgroup also records traffic activity over time. The growth of the Trojan can be easily tracked. Figure 4 gives post activity over monthly periods. The Trojan was initially released in November 2008, increased steadily in activity to a peak in February, and has tapered off since. Overall the numbers are quite low, totaling under 3,000 posts.

Figure 4: Trojan activity

Given the statistics, and examination of the code, it is possible to infer the attacker’s motive. Because several debug strings are left in the code, it may be a prototype implementation, testing the feasibility of Web-based newsgroup usage for C&C. It is most likely Taiwanese-based since the newsgroup language is Chinese (simplified), with several references to .tw domains in commands. The low numbers imply this is a discreet Trojan, used to subtly gather information and potentially determine future attack targets. In addition, there is no attempt within the DLL to maintain persistence on the attacked computer, further evidence of a Trojan attempting to remain undiscovered. Such a Trojan could potentially have been developed for targeted corporate espionage where anonymity and discretion are priorities.