Symantec has reported that a botnet has been using the Google Groups newsgroups service as a command and control structure.
Botnets usually communicate over a private networking protocol, often IRC, but some have been innovating in this area. For instance, we recently saw a botnet using Twitter for C&C.
The goal in all these cases is to hide the activity in plain sight. By using a system that people don't normally block and which is not usually used for programmatic control they feel they can escape detection. In this case, by choosing a system with a real company (Google) controlling it, they allowed one company to shut them down once they were detected.
Symantec suspects that the malware in the botnet, Trojan.Grups, is a prototype. The technique of using news groups for C&C has some serious downsides, tops of which are that it creates an audit trail through which outsiders can monitor activity in the botnet and perhaps compromise the botnet.
The future for such elusive C&C may be in steganography: the art of hiding data within other data structures. For instance, you can hide other data in a graphic image file and the image won't be visibly distorted. There are lots of image hosting services where you could hide C&C images. This is already being done, but not in a widespread fashion.
没有评论:
发表评论