Gavin O. Gorman of Symantec offers readable research into the Trojan.grups vulnerability, in which zombie computers receive updated commands by parsing instructions found in newsgroup postings. Here’s the gist:
When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses.
This is a handy layer of indirection for a zombie master, because public message boards are harder to blacklist than known-compromised servers. But this public command-and-control method also allows security researchers to study message content, replies, and overall volume levels — ironically, the zombie masters are publicly “opening up the source” of their network’s communications.
In this particular case, debug strings and low posting volumes indicate preliminary testing — but if this turns out to be a useful attack, it seems like it could be adopted fairly quickly.
So, should newsgroups be considered harmful? I don’t see how they could be, considering their proven history of improving global communication. But this article shows that even innocuous network technology is vulnerable to being parasitized by those who don’t yet deal honestly with each other.
When a shadow network is operating on citizens’ machines without their knowledge, and when public communication methods are used to transmit exploitative commands, how should our networks evolve in response? What’s the next step?