Microsoft is fighting back against Chinese hackers who started spreading spying malware on a TechNet forum.
The Chinese group, known as Deputy Dog, had embedded command and control (CnC) codes into TechNet, a Redmond website for IT professionals seeking to troubleshoot product issues.
The malware aided a cyber espionage campaign known as BLACKCOFFEE, and the cyber criminals came up with a clever way of hiding it from IT security forces.
They created a variety of profiles and posts on TechNet to hide the CnC code within, a technique labelled "hiding in plain sight" by security research firm FireEye, which spotted the bugs.
Doing this meant victims' anti-virus software would read this traffic as benign, because it came from a safe site and was hidden among vast amounts of traffic on the website, said FireEye.
A report by the security business read: "This technique can make it difficult for network security professionals to determine the true location of the CnC, and allow the CnC infrastructure to remain active for a longer period of time."
This means that while TechNet's security wasn't compromised, Deputy Dog managed to evade Redmond's own team of bothunters, The Digital Crime Unit, and spread the malware to its unsuspecting targets.
However, FireEye teamed up with Microsoft to hit back, tagging the malware with tracking codes to trace the bugs back to their botnet servers and so discover the party responsible.
The security firm's Threat Intelligence group wrote in a blog post: "By injecting encoded data onto some of the TechNet pages, the FireEye-Microsoft team was able to gain insight into the malware and the victims.
"This information will help them work with the anti-virus community to generate signatures to identify and clean systems affected by BLACKCOFFEE and alert other forum and message board managers to be on the lookout for this technique"
"Though the security community has not yet broadly discussed this technique, FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites," the company said.
