Virus writers keep getting sneakier. In an effort to evade detection, they’ve begun hiding their command and control instructions in legitimate Web 2.0 sites such as Google Groups and Twitter.
Recently, security vendor Symantec spotted a Trojan horse program that’s been programmed to visit a private Google Groups newsgroup, called escape2sun, where it can download encrypted instructions or even software updates.
These “command and control” instructions are used by criminals to keep in touch with hacked PCs and update their malicious software. Researchers have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with Symantec Security Response. “We’re seeing a trend toward using more mainstream social media-type interactions to hide command and control,” he said.
The Google Groups system appears to be a prototype, but Egan expects the bad guys to increasingly use social media sites for this purpose, as security software becomes more effective at rooting out traditional command and control mechanisms. “Malware authors are saying now that they’re on to [our] techniques, let’s try something different,” Egan said.
Today most criminals communicate with the machines they’ve hacked via IRC (Internet Relay Chat) servers, or by placing commands on obscure, hard-to-find Web sites. As system administrators are getting better at spotting and blocking these communications, the bad guys are “trying to hide these command and control messages inside legitimate traffic, so the presence of the traffic in and of itself doesn’t raise a red flag,” Egan said.
A system administrator can block access to IRC pretty easily, but blocking Twitter or Google is another matter altogether.
The Google Groups Trojan appears to be Taiwanese in origin and was probably used to quietly gather information for future attacks. According to the data on Google Groups, the Trojan has not spread widely since it was created in November 2008. “Such a Trojan could potentially have been developed for targeted corporate espionage where anonymity and discretion are priorities,” Symantec said in a Friday blog posting.