.

Bot net control using twitter

<<

Bane

Post Tue Aug 18, 2009 12:31 am

Bot net control using twitter

Arbor Networks has an interesting article about a botnet they discovered that uses twitter as the command and control channel. The bot herder was quite ingenius to do this. He/she is able to control the bot net from nearly anywhere as long as he/she can connect to twitter. This method provides a very reliable communications channel with a lot of redundancy, more so than many IRC servers. Additionally, this is an example of hiding covert cmmunications in plain sight and turning a legit site bad, without actually hacking it.

http://asert.arbornetworks.com/2009/08/ ... d-channel/

I expect that more of this will be happening in the future.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Aug 18, 2009 12:41 am

Re: Bot net control using twitter

Similar techniques were already used before Web 2.0, but I agree with you, that such methods may increase in future.
Twitter and similar services offer anonymous registration, RSS feeds, live updates in real-time, communication through http(s) - things which are likely to be misused because they fit the bill perfectly.

Though I think that using base64 was not a good idea because it can easily be decrypted.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Aug 18, 2009 4:39 am

Re: Bot net control using twitter

I'm not sure how much we'll see of this in the long term.

I would have thought this could be something that is fairly simple for Twitter to tear down once discovered. Continuing to stick with hosting c&c servers/DNS within 'bullet-proof hosting' centres would be a safer option for botherders I would have thought.

Or am I missing something?
<<

Bane

Post Tue Aug 18, 2009 1:45 pm

Re: Bot net control using twitter

This herder's communication is fairly obvious, due to it looking like a hash.  But imagine if he/she were to make the bot commands subversive. For example, he/se twits, "Went to the store" and the bot net nodes know that to be "get an update from serverX."

It wouldn't take a lot to do someting like this, it is essentially a simple word substitution and would make it very difficult to tell that botnet communication was happening. To take it a step further, the herder culd rotate the key words/phrases on a regular basis.

The reason I can see for doing this instead of having it hosted on your ISP account, etc. is that ISP's are getting better about shutting down hosted sites when law enforcement calls.  Also, why post your C&C on an ISP known for hosting this type of stuff, when you can fly under the radar on a "legit" site. This method additionally provides availability of a true world class hosted service. Also, if the herder were to setup separate accounts for sections of the net, he could have those accounts follow his main account and post upate resposes.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Aug 19, 2009 3:10 am

Re: Bot net control using twitter

Hi Bane,

I agree with you that most of the commands could be obfuscated, I was thinking more that once the twitter accounts get discovered (AV, malware analysis etc.) it should be simple for Twitter to close the accounts.

I suppose they could go down the conficker route of constantly changing account IDs, but this pattern should again be simple to spot (new account suddenly getting 100s of hits, etc.) and unlike conficker's DNS would only require the action of one company (Twitter) rather than lots of different DNS registrars in different countries.

Reading through some of the research/articles that have been written one aspect that I hadn't appreciated is that it will make network admins' jobs harder as there could already be hundreds or thousands of users already legitimately communicating with the Twitter servers, so spotting the traffic could be more difficult than the old days of looking for IRC traffic or traffic to .ru/.cn.

On reflection, this may be around longer than I first thought...
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Aug 19, 2009 3:19 am

Re: Bot net control using twitter

That's was I meant. There are endless possibilities to to hide the true intends. Masking them so that they look like legit tweets would be one of them.

When offering such a service it must be kept in mind, that sooner or later misusage will occure and that someone exploits it in a way which was not thought of previously.

I don't see much possibilities an owner of such a service have in order to prevent such things. Analyzing the network traffic may help, but again, there are possibilities to circumvent this.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Aug 19, 2009 9:11 am

Re: Bot net control using twitter

Isn't that the classic definition of hacking:

Making a 'thing' do 'something' it wasn't originally intended to do.

Don
CISSP, MCSE, CSTA, Security+ SME

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software