Security researchers at Symantec recently uncovered a backdoor trojan whose spread is being dictated by commands hosted in Google Groups, Google's online discussion forums. The backdoor trojan, named Trojan.Grups, appears to be the first ever malware to use an online newsgroup as the "command and control" center for botnet communications. It's certainly the first time that Google Groups specifically has been compromised in this way. This new discovery points to what appears to be the latest trend in what you could call "Web 2.0 malware," that is, nasty computer programs that don't just spread in social networks, but actually use the infrastructure of the social networks themselves to do the spreading.

Botnets are groups of computers compromised by malware programs, often called "zombie computers," which are controlled by "bot herders," the person or persons responsible for remotely controlling the infected PCs, unbeknownst to the PCs' owners. Traditionally, a centralized server of some sort would issue the commands that instruct the computers what action to perform. In many cases, the zombie machines are used to send out spam, to perform click fraud, to aid in identity theft, or are directed to attack another web server on the internet, as was recently seen with the Twitter/Facebook/LiveJournal attacks of last month.

With this particular new trojan, the command-and-control center for issuing the botnet commands is not a single server on the internet. It's Google Groups itself. Using a private newsgroup, the trojan executes a command which logs it into the newsgroup and requests a specific page. The page contains the encrypted commands the malware is to carry out. The responses from the compromised machines are then sent back to Google Groups and are uploaded as posts to the newsgroup.

According to security company Symnatec's analysis of this new trojan, it appears that it is a prototype implementation meant to test the feasibility of using newsgroups in this way. The trojan is attempting to remain discreet and undetected, being used to subtly gather information and potentially determine its future attack targets. The researchers think that the trojan may have been developed for targeted corporate espionage where anonymity and discretion are priorities.

Using Web 2.0 as the C&C for Botnets

This latest trojan isn't the first to use a social network to aid in its spread. What is unusual about it, though, is that it actually uses the social network that is Google Groups to host the commands which control the malware's actions. This is a different sort of scenario than your typical social networking-based malware which simply uses popular online networks as the vector for the attack. This is using the network as the brains.

Another recent example of this sort of Web 2.0-controlled malware involves the recent discovery of a botnet which used Twitter.com to issue commands. In an arguably ingenious move, Brazilian identity thieves created a Twitter account for the sole purpose of sending out commands to its associated malware. Each command was posted as a status update to the Twitter account. As researchers noted at the time, this sort of setup could have used any number of web sites or services on the internet to do the same - all that was needed was an RSS feed. In fact, the same malware was later seen on both Jaiku.com, a Twitter-like service acquired by Google in 2007, and Tumblr, a simple blogging platform.

Given the open, "anyone-can-post" nature of Web 2.0 and social networking services, the online communities that have become the de facto standard on today's web, it was only a matter of time before that openness was compromised by hackers wishing to use the services for more nefarious purposes than just "sharing with your friends."

For now, there are still relatively few incidents where a botnet has been discovered as using a Web 2.0 service as the command-and-control center for operations. However, the idea must surely appeal to botnet operators as hiding these sorts of messages in the larger social networking infrastructures that house valid communications makes the botnets harder to identify and shut down. You can't simply blacklist the IP or URL once discovered - you have to rely on the social networking vendor to remove the malicious accounts. If any of these recent efforts at web 2.0-controlled malware are successful (and the Google Groups trojan has been - it's been around since November 2008!), then it's likely we'll begin to see even more programs like this in the future.

'Web 3.0,' however, seems to have peaked as a term to describe the next wave of Internet innovation before it even had a chance to happen.

For a the full list of Web 2.0 buzzwords, head over to the Royal Pingdom blog.

Conclusions?

We wouldn't want to draw too many conclusions from this list, as it is based on search terms, and as users get more familiar with these and start bookmarking their favorite sites, they will probably start using search less. Also, as these terms become household names, fewer users will look them up on Google.

In some ways then, we might be able to interpret the decline of searches for 'RSS' or 'cloud computing' as a positive thing, as users have replaced searches for these general terms with more specific queries.

I'm not sure that I buy either argument.

"But the social Web - the true definition, we think, of this most recent wave - has sparked tremendous innovation. It has given us the "operating systems" for social networks, the culture of conversation and engagement, the discipline of rapid and disruptive development, and the technology basis on which to build reliable, scalable Web applications. In short, it's delivered a platform on which to build the next phase of the Web."

It's arguable whether there's much difference between 'web 2.0' and the 'Social Web'. We at ReadWriteWeb have been using both terms interchangeably over the past couple of years. But I do take Chris' point that, whether you like the term web 2.0 or not, what we've ended up with is a solid Web platform for applications and services.

So what's next? Chris identifies:

• Distributed Web: "disseminating information and applications to the users where ever they may be - another Web site, a mobile device, a consumer electronics gadget."
• A Smarter Web: better information discovery.
• Business Becomes Usual: defined by Shipley as moving beyond the 'free' model that consumer apps have practiced in the web 2.0 era, to apps for SME/enterprise and business models such as subscriptions for consumer apps.
• Transparency: according to Shipley "this theme has echoed across every market segment and has become a byword in our thinking about the next-generation Web."

The first two points (distributed and smarter) have been themes we've expanded on many times on this blog. Regarding distributed web, last week we wrote about how companies need to have a presence on all major platforms. And regarding a smarter web, an example is the emerging market for Semantic Apps.

So, no argument from us on the first two points.

Where I disagree is the notion that the 'free' model of the Web has ended or will end soon. Online advertising has been a very powerful business model for many, including of course the master of this Web era, Google. While I do agree that consumer apps should explore alternative business models too, in my view the statement by Chris that "free isn't a business model" just isn't true. Clearly 'free' has been a business model for many - and will continue to do so as long as the online advertising portion of the total advertising pie keeps growing (which it is forecast to).

And to the central question of this post: has the Web 2.0 cycle come to a close? Well if it has someone better tell O'Reilly Media and TechWeb ;-) To my mind, unless we see a significant change to the Internet market or the pattern of innovation we're seeing (the Web as platform etc), the current era continues. But it continues to evolve - into semantic web, distributed web, and so on. That's the exciting thing and it's what keeps the creative juices flowing at RWW!

ReadWriteWeb is a partner of DEMOfall 08, being held September 7-9 in San Diego. Our readers can receive a discount rate of $2,395 ($600 off the standard rate of $2,995 and $400 lower than the July early bird rate of $2795) by clicking here for registration.

Image credit: hober