I recently encountered an interesting malware sample. Examining its network activity, I noticed that it was beaconing out to translate.google.com. It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on. It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.
This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose. The malware sends HTTP GET requests using the following strings, where *URL* is the URL they wish to access:
After the malware downloads the webpage, they can parse the embedded iframe to access the data in the page. This even allows the malware to access embedded HTML comments on the page if that is what they are after.
You would think that blocking domain and IP is enough to stop malware from communicating over the network, but that won’t be enough in this case. You can protect yourself by looking inside the HTTP GET requests for the domains as well as blocking the DNS queries. So for example if the malware is accessing badsite.com, block DNS requests for badsite.com, but also create a signature that looks for “badsite.com” in the GET request.