Google Groups controlled Trojan (Sep 18, 2009)


SonicWALL UTM Research team observed a new Trojan that utilizes Google groups message boards as their Command and Control (C&C) mechanism.

This is similar to the botnet reported last month that utilized Twitter, Jaiku and other microblogging sites as their C&C mechanism – Twitter botnet. However, this is the first instance of a Trojan using newsgroup for C&C messages.

This Trojan is distributed as a DLL file that may arrive via drive-by downloads with filename mslogin.dll. It performs following activities on the victim machine:

  • It creates a file in system directory: %System%tmw.dat which is used by Trojan for logging purpose.
  • It creates following registry entries:
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInformationBar
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliForms
  • It tries to connect to and log onto escape2sun gmail account using the stored credentials.
  • Upon successful login, Trojan connects to the private Google group escape2sun and sends following GET request:

    This page contains encrypted commands for the Trojan to execute which includes download and execute other malware executables. The result of command execution on victim machine are sent to the C&C server via HTTP Post request.

Note that Google groups is not responsible for this malicious behavior, but it was being misused by the author of Trojan for controlling the infected machines. Google has suspended the account and the private group (escape2sun) at the time of publishing this alert.

This malware is also known as W32/GrupBot [McAfee], Trojan:Win32/Gruwt.A [Microsoft], and TR/Dldr.Agent.bjta.9 [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.BJTA (Trojan) signature.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.