Hackers Increasingly Using Twitter For Botnets

← Back to Stories (view on slashdot.org)

Hackers Increasingly Using Twitter For Botnets

Posted by CmdrTaco on Thursday January 27, 2011 @05:10AM from the only-a-matter-of-time dept.

Trailrunner7 writes "Spammers aren't the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims' networks. Mandiant's latest "M-Trends" report, released on Thursday, says that the company has observed an increasing number of so-called "Advanced Persistent Threats" that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported."

56 comments

Min score:

Reason:

Sort:

Why? by woolpert · 2011-01-27 05:17 · Score: 1

I don't understand what the incentive is to stop using IRC for command and control.
1. Re:Why? by johnncyber · 2011-01-27 05:21 · Score: 2
  
  Twitter and social networks are more likely to be used by the average person. Whereas IRC has been getting a (undeserved) bad rap for nefarious things.
2. Re:Why? by rabbit994 · 2011-01-27 05:22 · Score: 4, Informative
  
  Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.
3. Re:Why? by Anonymous Coward · 2011-01-27 05:24 · Score: 5, Insightful
  
  Companies are more aggressively blocking outbound traffic to services not needed by most users, such as IRC. Whereas egress HTTP/s is almost universally permitted.
4. Re:Why? by John+Hasler · 2011-01-27 05:25 · Score: 3, Insightful
  
  I don't understand what the incentive is to stop using IRC for command and control.
  Getting through firewalls, I should imagine. Companies are likely to block IRC but they dare not block Twits-R-us and FaceSpace. Traffic there also seems less likely to trigger IDSs.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
5. Re:Why? by Anonymous Coward · 2011-01-27 05:26 · Score: 1
  
  IRC is less widely used than Twitter, so it is much easier to hide the command and control among the mass of Twitter messages. Also Twitter uses standard HTTP port, which is less likely to be blocked than an IRC port.
6. Re:Why? by kronosopher · 2011-01-27 05:26 · Score: 1
  
  Who uses Twitter and IRC's ill-repute are irrelevant to the fact that it is useful for hackers.
7. Re:Why? by shish · 2011-01-27 05:30 · Score: 1
  
  Because you generally have to run your own servers
  What's wrong with a private channel on a public network? (Or several for redundancy)
  
  which means you need your own domains
  What's wrong with a list of IP addresses?
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
8. Re:Why? by Securityemo · 2011-01-27 05:33 · Score: 1
  
  It's cleartext, and limited in behaviour to, well, IRC chatter/extra commands. I've been thinking about this, and practical solution would presumably be some sort of heavily steganographical P2P protocol able to run across several channels arbitarily - meaning the bot could mask itself as HTTP traffic, torrent traffic, etc... and switch between these protocols (like "frequency jumping") in a plausible-looking manner, or even communicate with a remote bot/CnC server masking as several simultaneous protocols.
  
  It would have to mask itself according to the type of host - a PC on a customer ISP range couldn't make itself look like a webserver but torrents would be fine, and an infected webserver could only communicate safely to the outside using answers to HTTP requests (presumably the bot could communicate by installing a custom driver in the windows networking driver chain, if I've understood those techniques correctly) and so on. An engine like that would obviously be useful for masking targeted intrusions too, not just botnets.
  
  --
  Emotions! In your brain!
9. Re:Why? by kronosopher · 2011-01-27 05:33 · Score: 1
  
  Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.
  IRC servers are still fairly popular, and there are more than enough of them to exploit. How is using a social-network any less a point-of-failure than IRC? What makes HTTP or UDP any more or less distinguishable than plain old TCP?
10. Re:Why? by Anonymous Coward · 2011-01-27 05:38 · Score: 0
  
  not really. the more stupid the user, the easier to fool them.
  i see quite frequently sudden chats from people on facebook that i normally never chat with. "Oh, look, a Photo: http://whatever/Photo.exe". sure, i don't click it. i know the average user does (and did, as how else did they get infected?).
  facebook has >half a million rather non-tech-savvy users. a nice target.
11. Re:Why? by Lord+Ender · 2011-01-27 05:45 · Score: 2
  
  Twitter's popularity and reputation mean it is less likely to be blocked, and traffic to it is less likely to be scrutinized by security analysts.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
12. Re:Why? by crackspackle · 2011-01-27 05:49 · Score: 1
  
  Perhaps because http is far less likely to ever be blocked by the victim, either intentionally or because they bought some new network hardware. Also, the main use of twitter would be to inform the bot where to go if its current C&C server was taken out. At that point, it would probably try a variety of protocols to reach it until one worked.
13. Re:Why? by Securityemo · 2011-01-27 05:49 · Score: 1
  
  Because it's a central point of failure. If the IRC admins block all the bot IPs, your command structure is broken entirely. Whereas if you set up a CnC server on a "bulletproof host", the only breakage will be from individual infected networks/hosts blocking traffic.
  
  --
  Emotions! In your brain!
14. Re:Why? by a+Flatbed+Darkly · 2011-01-27 05:49 · Score: 1
  
  IRC's usually on an obvious port and has a discrete protocol of its own. There's no mistaking IRC. With Twitter everything's through HTTP, so people involved have some small level of deniability, and people are far more likely to notice an odd connection appearing on an abnormal port and look into it than they are to pay any heed to the din of HTTP.
15. Re:Why? by BenLeeImp · 2011-01-27 05:53 · Score: 1
  
  You seem to be confusing the C&C network with the infection vector. This article is about hackers using twitter, etc, as a way to provide instructions to their botnets.
16. Re:Why? by Securityemo · 2011-01-27 05:54 · Score: 1
  
  The point here is, not being blocked or detected on a large scale, so you mask as the most popular protocol. Social networks have displaced IRC at this point, so they would be more useful to the botnet herders.
  
  --
  Emotions! In your brain!
17. Re:Why? by Anonymous Coward · 2011-01-27 05:55 · Score: 1
  
  Undeserved? IRC is ridiculous and has been for some time.
  Basic outline of any IRC chatroom:
  captnitro: hey whats goin on
  ice8229: no fuck that
  captnitro: what?
  peebles: your mother is a whore, you know it
  ice8229: i'm not going to buy a goddamn program just to rip
  ice8229: anybody know of an open one?
  fisher0: i kno cuz i fuckerd her d00d
  captnitro: what the hell is going on here?
  adbot: MP3Z MOVIEZ WAREZ BAGELZ go to 62.182.100.10
  binaryman: 1000100011110101
  captnitro: huh?
  binaryman: 1001111010111110
  sharky: get out n00b
  fisher0: i am not a virgin i so fskced her! in the ears
  pornking: anybody want to cyber?
  10yearold: yes
  Clearly the domain of kings.
18. Re:Why? by Anonymous Coward · 2011-01-27 05:56 · Score: 0
  
  A lot of datacenters block the ports used by IRC. This wastes a lot of bots. Unless we're talking about home machines, there isn't really a reason to not use IRC.
19. Re:Why? by Anonymous Coward · 2011-01-27 06:00 · Score: 0
  
  IRC is where hackers go when they don't want to be overheard
  http://www.youtube.com/watch?v=wXW-HnRSrbQ
20. Re:Why? by surgen · 2011-01-27 06:20 · Score: 1
  
  What's wrong with a private channel on a public network? (Or several for redundancy)
  When I was an IRCop, whenever I found a c&c channel I would put a bot in there to gline anyone who entered. About once a month or so we'd go on hunting trips to find bots reporting to our network. Rather than build the redundancy of multiple networks into the malware, they'd rather use a system they can still fly under the radar on.
  
  What's wrong with a list of IP addresses?
  DHCP. You can't expect to find a box that can't be traced back to you and rely on it keeping the same IP address.
  A list of IPs or IRC networks are finite resources. The chances of loosing control of your bots by relying on these is higher than if you rely on something like twitter.
21. Re:Why? by shoehornjob · 2011-01-27 06:21 · Score: 1
  
  This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server. It's the end users at home that have to be worried about this. Oh wait.. I forgot, these are the same people who click the link when they get a popup "your computer is infected with 800 viruses. Click here to download super duper trojan ware. Never mind.
  
  --
  "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
22. Re:Why? by Anonymous Coward · 2011-01-27 06:30 · Score: 0
  
  I don't understand what the incentive is to stop using IRC for command and control.
  Stability. Things get nasty at 30.000+ clients
23. Re:Why? by 99BottlesOfBeerInMyF · 2011-01-27 06:56 · Score: 1
  
  This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server.
  I don't think this is true. Most corporations these days have twitter and Facebook accounts as marketing tools. Also the execs like to go one there and spout nonsense and us it for recreation In many companies employees are encouraged to visit both sites during the day. I'm not sure of the reasoning for this (other than to make them seem more popular?) but I've seen it at several corporations.
24. Re:Why? by bberens · 2011-01-27 07:23 · Score: 1
  
  The more you can blend your bits in with "legitimate" bits the harder it is to detect you.
  
  --
  Check out my lame java blog at www.javachopshop.com
25. Re:Why? by AftanGustur · 2011-01-27 07:26 · Score: 1
  
  I do fight APTs on a daily basis, this was a part of my work today.
  Generally IRC is no longer a good C&C protocol for a number of reasons:
  1) Companies are increasingly putting in place protocol filters, so that only pure HTTP gets out of the company,
  2) IRC runs on a port that is almost always blocked, you could use your servers but then you come again to the problem of "your servers",
  3) IRC has problems getting out through company proxies.
  4) You asked "what is wrong with a list of IP addresses,", well, in a log report, IP addresses stand out like a sore thumb and are immediately visible.
  
  --
  echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
26. Re:Why? by bberens · 2011-01-27 07:27 · Score: 1
  
  I wanted to join the Redhat IRC channel so I could get some help with a server issue we were having in our production environment. Apparently opening an IRC port at my company required an "ok" from the CIO of the company. Yup, for realz.
  
  --
  Check out my lame java blog at www.javachopshop.com
27. Re:Why? by bberens · 2011-01-27 07:28 · Score: 1
  
  My company has twitter and facebook accounts as marketing tools. There's like 3-4 people who have that site opened to them via the proxy. Everyone else has varying degrees of "freedom" to use the web. Our call center folks have the least access, developers tend to have fairly open access.
  
  --
  Check out my lame java blog at www.javachopshop.com
28. Re:Why? by AndroSyn · 2011-01-27 07:46 · Score: 1
  
  Because most public IRC networks actively go out of their way to rid their networks of channels used for C&C. They don't want botnets either.
29. Re:Why? by flappinbooger · 2011-01-27 08:37 · Score: 1
  
  I just read an article saying that conficker is still alive and well, but the CnC servers are being blocked and/or taken down - essentially rendering the malware mostly harmless with the head cut off.
  
  It's interesting to read about this, I played around with tweet-my-pc a while ago and the amount of control available through the twitter system is interesting. Putting your CnC on a massive and pervasive system that someone else keeps up and pays the bills for (FB or twitter) is brilliant.
  
  However, I heard that twitter was going to start cracking down on accounts being used for such things. Perhaps they just simply can't?
  
  --
  Flappinbooger isn't my real name
30. Re:Why? by g4b · 2011-01-27 09:00 · Score: 1
  
  you simply rely on a social network being more persistent I think. Maybe they only take it as an alternative.
  Having to rely on IRC may need your own infrastructure, or relying on other irc services, or at least dns systems to redirect the listening ears of your little cochroaches.
  Whoever thought some stupid oneliners on a fake account somewhere might trigger a DDoS attack after all?
  Maybe aboing all those bot-ladies knocking on my twitter account and listening to their sexy chitchat has some pattern... mhhmmm....
orly? by kronosopher · 2011-01-27 05:24 · Score: 2

Twitter is actually good for something after all
I had an idea like this once... by Anonymous Coward · 2011-01-27 05:34 · Score: 0

I've never actually been involved in creating, maintaining, or commanding a botnet, but in college I thought this would be an interesting project, so I spent some time thinking about it. One issue involved is: how would peers in a botnet discover each other, when I don't want to run something like a central server?
This was 2005 or so, so twitter didn't exist. My idea to make the bots do targeted vandalism to Wikipedia, in a way that looks benign (like some punk kid) but my clients would crawl the site looking for this coded vandalism, and use that to discover peers.
I never tried this, and I guess for a site like Wikipedia my clients would get banned pretty quickly, and if they ever got large in number the whole thing wouldn't work. I guess they've also added captchas for anonymous users. But twitter seems just right for this purpose: there's already a lot of noise on the site and it's doubtful that anyone is really monitoring what kind of crap people are putting there. And it has a search feature. There are already lots of spambots on there as well.
But then, someone else here suggested, why not just mooch off someone's IRC server? I suppose that would work just as well.
1. Re:I had an idea like this once... by Anonymous Coward · 2011-01-27 05:39 · Score: 0
  
  /b/ + .rar FTW
  
  oops, maybe I shouldn't have said that...
Meh by Anonymous Coward · 2011-01-27 05:36 · Score: 0

Not surprising. Bots mostly went from IRC-controlled (insecure, inefficient, unreliable, weak) to IRC+SSL-controlled (inefficient, unreliable, weak, massive-computational-cost) to proprietary P2P networks (overwhelming complexity). At the same time there was HTTP (inflexible, weak) and IM*. Bot coders are some of the laziest programmers around... of course they will let someone else solve their biggest issue.
* I never saw IM used in practice, so I don't really know the drawbacks around it. Probably hard to maintain with all the constant protocol changes.
A lot of it might have to do by citoxE · 2011-01-27 05:38 · Score: 2

with how Twitter and various other social networks utilize hyperlinks. The problem is that most URLs are shortened in messages, so all person A has to do is tell person B something is going on, and click the link to find out more. Person A clicks link, silent download commences. It's circumstances like these where I wish URL shortening would just fall off the face of the earth. It just has such a high possibility of being exploited and there's no way to see where the shortened URL will go without using some script, it's just not that safe.
1. Re:A lot of it might have to do by Anonymous Coward · 2011-01-27 06:56 · Score: 0
  
  > Person A clicks link, silent download commences.
  Only if person A's computer is very mis-configured such that merely clicking on a hyperlink can somehow cause problems for it.
  There's no way that merely clicking on a shortened URL should cause problems. Person A doesn't run scripts without some basic reason to trust them, right? And they *certainly* don't run executables from a completely untrusted web site. The URL might, at worst, show them an image they don't want to see, but that should be the worst of it.
  I've (accidentally) visited malware domains before. I've never had a single problem, because I'm not idiotic enough to let them mess with my computer.
2. Re:A lot of it might have to do by Anonymous Coward · 2011-01-27 17:25 · Score: 0
  
  'Only if person A's computer is very mis-configured such that merely clicking on a hyperlink can somehow cause problems for it.'
  Add a zero day coupled with a cross-site forged request... and you don't know what you're talking about anymore.
Finally by Anonymous Coward · 2011-01-27 05:45 · Score: 0

Someone found a good use for twitter!
Using web services to store and transmit data? by BitHive · 2011-01-27 05:46 · Score: 2

Gee George, deez hackers shore are sophistimacated!
1. Re:Using web services to store and transmit data? by Securityemo · 2011-01-27 05:58 · Score: 1
  
  Insisting on sophistication in methods when herding bots would probably be inefficient - what matters is only return on effort and time spent. Kind of like robbers not picking locks, but drilling or smashing them.
  
  --
  Emotions! In your brain!
http by Anonymous Coward · 2011-01-27 06:02 · Score: 0

http port is just not as blocked as other ports
Excellent! by Anonymous Coward · 2011-01-27 06:09 · Score: 0

So just block Facebook and Twitter at the firewall. Problem solved.
Whee! This security stuff is easy.
But how do you control it with only 140 characters by Anonymous Coward · 2011-01-27 06:14 · Score: 0

But how do you control it with only 140 characters to s
Re:But how do you control it with only 140 charact by 0100010001010011 · 2011-01-27 06:47 · Score: 1

You issue it a base64 encoded URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.
I followed one of them once, they usually added layers of abstraction to make it 'difficult' for a human to follow. Meaning one tweet, lead to another tweet, lead to another tweet, lead to a URL, which had another URL which then contained something like "ping whitehouse.gov"
What is by Anonymous Coward · 2011-01-27 06:55 · Score: 0

Google Chat?
I thought they were using Telnet? by Guidii · 2011-01-27 07:18 · Score: 1

Didn't I just finish reading http://it.slashdot.org/story/11/01/27/1334224/Hackers-Bringing-Telnet-Back
Those hackers must be busy....
Re:But how do you control it with only 140 charact by Frosty+Piss · 2011-01-27 07:31 · Score: 1

You issue [a] URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.
Yes you can. And this *isn't* hacking, cracking, or any hot sound-byte word.

--
If you want news from today, you have to come back tomorrow.
Great idea by Anonymous Coward · 2011-01-27 07:44 · Score: 0

Wouldn't it be cool if some trojan just looked up popular hash tags and used those as some form of command? The People's Botnet, who knows what it'll do.
1. Re:Great idea by SnarfQuest · 2011-01-27 08:00 · Score: 1
  
  Command received. \/14gR4 ads transmitting now. Nigerian prince story queued.
  
  --
  Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Like this? by Anonymous Coward · 2011-01-27 07:56 · Score: 0

http://twitter.com/ns111042
Teamwork = Teams in any form by Liger_XT5 · 2011-01-27 08:15 · Score: 1

If a group of people play online on the same game and interact, then it's teamwork in some form. No matter what term you call it. If they want to take "Gangs" out of online games. Then take multiplayer out completely. As long as two people have the ability to be allies, there is going to be teams, as they put it, gangs.
old news by hesaigo999ca · 2011-01-27 08:22 · Score: 1

I posted about this being the case way back (5 years ago?) when people were talking about IRC bots and CCs, but I got to say, it is impressive that now so many years later, people are catching up to this style of thinking, gives me hope for hackers out there..
1-800-APTs! by Anonymous Coward · 2011-01-27 09:36 · Score: 0

And leave off the last "s" for savings!
can your hear me now by Anonymous Coward · 2011-01-27 14:46 · Score: 0

more likely the bot will be able to get a phone home out of a corporate network if it's doing HTTP than IRC. also more likely able to pull an update or read a command.
using a HA web service just seems like a no brainier.
your have a disturbed HA service to run your command and control, you can also have a lot more points to issue commands from.
eliminates a lot of problems so long as you can evade the people trying to remove your compromised accounts on the HA host...