• Google groups used as malware command channel

    Gavin Gorman from Symantec made a post about how Google groups was being used as a back channel to control a bot-net.

    “The Web-based newsgroup can store both static ‘pages’ and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.”

    Read more: