New variant of Trojan, called Trojan.Grups, is using Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation. Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. According to Symantec security researcher Gavin O'Gorman’s report the malware is designed to log into a Chinese language newsgroup to receive commands. After successfully logged in, the Trojan requests a page from a private newsgroup “escape2sun” that contains commands for the Trojan to carry out. The commands consist of an index number, a command line to execute, and optionally, a file to download, and responses are uploaded as posts to the newsgroup. The post and page contents are encrypted using the RC4 algorithm and then “base64” encoded so attacker can read responses. Attackers need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data. Traditionally, IRC channels have been used to carry out this function, but recently attackers have experimented with different control channels such as Google Groups (Twitter attack). Although using of Google Groups has advantages in anonymity, it leaves a record of Trojan activity (the growth of the Trojan can be tracked by the volume of posts). Security experts said that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Additional information can be found at TheRegistar website.
