Glaswegian

Virus writers have started to hide command and control instructions in popular legitimate sites like Google Groups and Twitter according to security researchers.

Symantec has spotted a Trojan horse program that's been programmed to visit a private Google Groups newsgroup, called escape2sun, where it can download encrypted instructions or even software updates. These "command and control" instructions are used by criminals to keep in touch with hacked PCs and update their malicious software.

Last month researchers from Arbor Networks highlighted an earlier version of this. We have also seen criminals hide their messages in RSS feeds that are set up to broadcast Twitter messages, said Gerry Egan, a director with Symantec Security Response. "We're seeing a trend toward using more mainstream social media-type interactions to hide command and control," he said.

The Google Groups system appears to be a prototype, but Egan expects the bad guys to increasingly use social media sites for this purpose, as security software becomes more effective at rooting out traditional command and control mechanisms. "Malware authors are saying now that they're on to [our] techniques, let's try something different," Egan said.

Today most criminals communicate with the machines they've hacked via IRC (Internet Relay Chat) servers, or by placing commands on obscure, hard-to-find websites. As system administrators are getting better at spotting and blocking these communications, the bad guys are "trying to hide these command and control messages inside legitimate traffic, so the presence of the traffic in and of itself doesn't raise a red flag," Egan said.


http://news.techworld.com/security/3...ction/?olo=rss