Concealing Network Traffic via Google Translate

I recently encountered an interesting malware sample.  Examining its network activity, I noticed that it was beaconing out to translate.google.com.  It doesn’t really make sense that malware would need to translate a webpage, so I took a closer look at what was going on.  It turns out that the malware was using Google translate (and other translation websites) to proxy access to their malicious websites. Using the translation pages allows the malware to communicate with command and control servers without ever connecting to them. Analysis of the traffic would only show connections to Google Translate servers. These websites may contain commands or configuration that the malware downloads.

This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose. The malware sends HTTP GET requests using the following strings, where *URL* is the URL they wish to access:

After the malware downloads the webpage, they can parse the embedded iframe to access the data in the page. This even allows the malware to access embedded HTML comments on the page if that is what they are after.

You would think that blocking domain and IP is enough to stop malware from communicating over the network, but that won’t be enough in this case. You can protect yourself by looking inside the HTTP GET requests for the domains as well as blocking the DNS queries. So for example if the malware is accessing badsite.com, block DNS requests for badsite.com, but also create a signature that looks for “badsite.com” in the GET request.

6 thoughts on “Concealing Network Traffic via Google Translate

  1. This is why we had blocked translation sites at my old job. People would use them to bypass webfiltering software. Old trick, that still works.

  2. Our BlueCoat proxy allows translate sites, but blocks attempts – including this one – to access sites on its ‘do not allow’ list.

    • Would mind explaining exactly what you mean by this comment, since whats interesting here is the content of the request..

  3. Pingback: Spammers Using Yahoo, Google To Whitewash Links | The Security Ledger

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s