Gone are the days when “Command & Control” Botnets were controlled using IRC channels or web servers. These days, attackers have moved to more sophisticated techniques or rather they are taking advantage of already available public infrastructure to control their army of Bots.
One such case is that of a Bot using Google Groups for sending out the control commands. Discovered by a researcher at Symantec, this Trojan upon infecting a machine, connects to a private Google group called “escape2sun” and requests a page. This page contains encrypted commands for the Trojan that typically consist of an index number, a command line to execute, and optionally, a file to download. Now not only can the malware author control the Botnet, but he also gets all the additional features of Google groups such as version control and tracking group activity, etc. ! Smart stuff, eh ?! Read more about it here.
Other similar publically available service that is being exploited by Botnet authors is “Twitter”. Using obfuscated Twitter status messages on a account, the malware author is able to send commands to its Trojans. The Trojan works by reading the RSS feed to a particular Twitter account designated by the Botnet author. This appears to be a direct fall out of a PoC that was presented at Defcon 17 regarding a tool called “KreiosC2”. More about this here.
But this is not the only social networking site that is being targeted by Botnet authors, other sites such as Jaiku and Tumblr are also being used. A big advantage of using such techniques is that, it will be difficult for content filtering systems to detect & stop such communication since this is legit communication to well known websites. But at the same time, the biggest disadvantage is that they are all public services, so whatever activity that the Botnet is doing is easily visible to others too !