Comments on: Botnet communication over Twitter, Reddit, social web

By: TerrorBite

TerrorBite — Mon, 26 Jan 2009 13:24:29 +0000

I think I found a twitter botnet… http://twitter.com/masterconsole
Tweets by this user are frequent, and include messages like:

#mcp: $cmd=ban $drone=1620 $reason: host is a virtual machine (honey pot?) $code: 4122 $job=786620430-12038

#mcp: $cmd=install $scope=gateway $payload=252 2629898148293275722137311933159247363679864621 5724588

#mcp: $job=71224324-20007 completed in 2 cpu days.

What's the matter, @SarkProgram? You look nervous. (a reference to the movie Tron)

By: botnet

botnet — Wed, 24 Dec 2008 05:31:42 +0000

I wouldn’t be surprised if some communications are already being facilitated by twitter. Although, there are much more efficient and effective mechanisms for managing and spreading bots.

Let’s be clear on one thing. Some of the recent randsomware does have flaws. Most of the original source malware and bots are professional done, CVS archives, and source management. Your statement is true for the all the skiddies that steal the code and try to use it.

Malware and bots are strictly a numbers game. Don’t let anyone ever tell you differently: it’s always about the money.

By: Leigh Honeywell

Leigh Honeywell — Sat, 20 Dec 2008 09:12:48 +0000

Michael hit the nail on the head. Modern botnets are using two things as Command and Controls: P2P protocols (primarily custom stuff built on top of Overnet) and http traffic stored on compromised servers.

Some relevant stuff can be read about at Brandon Enright’s site: http://noh.ucsd.edu/~bmenrigh/ (scroll down to the “Exposing Stormworm” link, I hate linking directly to things like Powerpoint files ), and an analysis of the domain name generation algorithm for the Srizbi botnet.

-Leigh

By: Zeroth

Zeroth — Wed, 17 Dec 2008 22:38:05 +0000

Way ahead of you, lol. I remember reading a book about encryption combined with malware, and the possible ways. It was all thought-experiment stuff, mostly as security research. One of the key concepts they found was that it was entirely possible to have a specific url purchased that is a cryptographic determination(from the date), and at this url is a publically accessible BBS. The bots/masters can post encrypted communications and they showed that unless there was a mistake in the encryption algorithms, it would be nigh impossible to round up the author. He even explored methods of viruses ransoming off encrypted data. Luckily, the virus writers and bot writers so far are pretty dumb, relatively. Most ransomware is badly coded, and uses a predetermined public key, instead of a hashed public key. Interesting ideas though!

By: Matthew

Matthew — Thu, 11 Dec 2008 02:07:29 +0000

This is certainly a very interesting idea. Of course it all comes down to how crafty the communications are – and if access to those sites is actually allowed or not. Alternatively, the botnet owner could also set up their own ’social networking’ portal.

By: Michael Chang

Michael Chang — Wed, 10 Dec 2008 22:31:09 +0000

Why not just use XML-RPC, and stick some sneaky code into a publicly accessible web server? That seems much less contrived…

Of course, the biggest issue I can see with this is that HTTP communication requires polling… which slightly increases the complexity of any bot program. You need to make sure the bot is inconspicuous enough or otherwise a sysadmin might see the logs and wonder why someone keeps connecting to twitter every 5 minutes on the :00.

By: Jarek Piórkowski

Jarek Piórkowski — Wed, 10 Dec 2008 07:34:16 +0000

This is asking for a proof of concept, Tony.