Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Using Social Networks For Botnet Control

Posted by Soulskill on from the eighteen-script-kiddies-liked-this dept.

Trailrunner7 writes "Bot herders and the crimeware gangs behind banker Trojans have had a lot of success in the last few years with using bulletproof hosting providers as their main base of operations. But more and more, they're finding that social networks such as Twitter and Facebook are offering even more fertile and convenient grounds for controlling their malicious creations. New research from RSA shows that the gangs behind some of the targeted banker Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company's anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded."

8 of 40 comments (clear)

  1. Obvious next step by The+MAZZTer · · Score: 5, Insightful

    Steganography. Of course it alone won't keep a good virus researcher from figuring out what's going on, but Facebook/whoever will just see a legitimate profile (and that may make it that much harder to get it taken down).

    Messages posted, postings on others' walls, images posted, even friends made in a particular order could all carry hidden meaning for watching malware.

    1. Re:Obvious next step by countSudoku() · · Score: 3, Interesting

      I would love to mod this "Like", but I fear that will launch an attach from BotVille. Speaking of which, why not just use a malware metaphor, say farming, build up a fake business around that as a "game". Then let thousands of stupid people who like shitty "games" play it to control and command their warez-botz-thingyz? Ooops, too late!

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    2. Re:Obvious next step by Anonymous Coward · · Score: 2, Insightful

      The point is still valid regardless of how much you obfuscate the process of searching for commands. Lets say you have a botnet client that scans the images on 10,000 Facebook profiles looking for commands hidden by a steganographic process. A security researcher who has a copy of your botnet client is still able to either disassemble your client or monitor the execution/memory of your client and reverse engineer whatever methods you use to search for commands.

      It's similar to the way a piece of software checks if it has a valid serial; this process may be obfuscated but it's still possible for crackers to reverse engineer this and create a key generator.

      Note: I'm not the same AC as above.

    3. Re:Obvious next step by TheLink · · Score: 3, Funny

      I jokingly suggested something related before- create some software to have servers to join facebook, and those servers can answer stupid quizzes like "20 Ways to know if you're a Windows 2008 R2 server".

      With status messages like:
      ProcessingNode192 is bored (has nothing to do)...
      StorageServer01 is feeling degraded (on array #2)...

      --
  2. Finally, IRC is safe! by lemur3 · · Score: 5, Funny

    I was really starting to worry that these Command & Control things that use IRC chatrooms were going to ruin the good reputation that IRC has built up over the years.

  3. is this news? by WillgasM · · Score: 2, Informative

    I thought they had been doing this for a long time now.

    1. Re:is this news? by WillgasM · · Score: 2, Informative

      in fact http://it.slashdot.org/story/09/08/14/1828248/Twitter-Used-To-Control-Botnet-Machines

  4. The new IRC? by bjartur · · Score: 2, Insightful

    Meh, IRC has been used for this purpose for a long time. Switching to the centralised Twitter service for increased anonymity is just an evolution, not a revolution.