Google Groups controlled Trojan

September 18, 2009

SonicWALL UTM Research team observed a new Trojan that utilizes Google groups message boards as their Command and Control (C&C) mechanism.

This is similar to the botnet reported last month that utilized Twitter, Jaiku and other microblogging sites as their C&C mechanism - Twitter botnet. However, this is the first instance of a Trojan using newsgroup for C&C messages.

This Trojan is distributed as a DLL file that may arrive via drive-by downloads with filename mslogin.dll. It performs following activities on the victim machine:

  • It creates a file in system directory: %System%tmw.dat which is used by Trojan for logging purpose.
  • It creates following registry entries:
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerInformationBar
    • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliForms
  • It tries to connect to and log onto escape2sun gmail account using the stored credentials.
  • Upon successful login, Trojan connects to the private Google group escape2sun and sends following GET request:

    This page contains encrypted commands for the Trojan to execute which includes download and execute other malware executables. The result of command execution on victim machine are sent to the C&C server via HTTP Post request.

Note that Google groups is not responsible for this malicious behavior, but it was being misused by the author of Trojan for controlling the infected machines. Google has suspended the account and the private group (escape2sun) at the time of publishing this alert.

This malware is also known as W32/GrupBot [McAfee], Trojan:Win32/Gruwt.A [Microsoft], and TR/Dldr.Agent.bjta.9 [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.BJTA (Trojan) signature.