Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attackers Using Social Networks For Botnet Control

Soulskill posted about 4 years ago | from the eighteen-script-kiddies-liked-this dept.

Security 40

Trailrunner7 writes "Bot herders and the crimeware gangs behind banker Trojans have had a lot of success in the last few years with using bulletproof hosting providers as their main base of operations. But more and more, they're finding that social networks such as Twitter and Facebook are offering even more fertile and convenient grounds for controlling their malicious creations. New research from RSA shows that the gangs behind some of the targeted banker Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company's anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded."

cancel ×


Sorry! There are no comments related to the filter you selected.

first post? (-1, Offtopic)

ghostoftiber (1859740) | about 4 years ago | (#32956648)


Botnet control message (-1, Flamebait)

Anonymous Coward | about 4 years ago | (#32956742)

Don't forget to pay your BSD developers failing dead last nigger association.

Obvious next step (5, Insightful)

The MAZZTer (911996) | about 4 years ago | (#32956702)

Steganography [] . Of course it alone won't keep a good virus researcher from figuring out what's going on, but Facebook/whoever will just see a legitimate profile (and that may make it that much harder to get it taken down).

Messages posted, postings on others' walls, images posted, even friends made in a particular order could all carry hidden meaning for watching malware.

Re:Obvious next step (0)

Anonymous Coward | about 4 years ago | (#32956776)

Uh, once they have the trojan they can see what it's doing and which Facebook/Twitter/whatever page it's looking at. Not that hard to detect. Steganography would do nothing to change that.

Steganography is used when someone is trying to conceal that communication is even taking place between parties. In the case of the trojan one of the parties can easily be seen communicating.

Re:Obvious next step (1)

stonewallred (1465497) | about 4 years ago | (#32957466)

Uh, malware scans a list of 10k profiles, and you think they will be able to figure out what it is looking for with all the associated posts, pictures and notes? There is a reason you are an anonymous coward. And it is because of your stupidity.

Re:Obvious next step (2, Insightful)

Anonymous Coward | about 4 years ago | (#32957702)

The point is still valid regardless of how much you obfuscate the process of searching for commands. Lets say you have a botnet client that scans the images on 10,000 Facebook profiles looking for commands hidden by a steganographic process. A security researcher who has a copy of your botnet client is still able to either disassemble your client or monitor the execution/memory of your client and reverse engineer whatever methods you use to search for commands.

It's similar to the way a piece of software checks if it has a valid serial; this process may be obfuscated but it's still possible for crackers to reverse engineer this and create a key generator.

Note: I'm not the same AC as above.

Re:Obvious next step (0)

Anonymous Coward | about 4 years ago | (#32961600)

You're assuming, of course, that public-key cryptography is not used to guarantee each embedded message/command can only be read by its intended recipient (one specific instance of a bot). That means you can only intercept/compromise messages directed towards the bot you reverse-engineered.

If I was a botnet "developer" I would take advantage of the fact that I'm using a social network to build a P2P overlay: each bot only knows/communicates with a reduced number of other bots and commands are simply (cryptographically signed and) injected at any point of such P2P network (from which it can be anonymously propagated). Unless you compromised the bot where the command is injected, you have nothing on me ;)

Re:Obvious next step (1)

Impy the Impiuos Imp (442658) | about 4 years ago | (#32965518)

What's good for the goose is good for the gander.

If defenders could figure out the code, well, I believe this vignette from Star Trek: Next Gen will help:

Data: I have access to the Borg collective

Picarborg: Sleep. Sleep, Data.

Dr. Crusher: He must be exhausted.

Data: Most certainly. But I think he may be telling us something.

Re:Obvious next step (1)

BoberFett (127537) | about 4 years ago | (#32959328)

You said it yourself, steganography is used when trying to conceal that communication is taking place. Isn't that what botnet operators want?

Assuming that access to Facebook, etc. isn't already blocked, a network admin isn't going to notice image downloads from Facebook as quickly as they would repeated hits to [] and there is a lesser chance of the botnet being detected at all.

Re:Obvious next step (3, Interesting)

countSudoku() (1047544) | about 4 years ago | (#32957040)

I would love to mod this "Like", but I fear that will launch an attach from BotVille. Speaking of which, why not just use a malware metaphor, say farming, build up a fake business around that as a "game". Then let thousands of stupid people who like shitty "games" play it to control and command their warez-botz-thingyz? Ooops, too late!

Re:Obvious next step (1)

sea4ever (1628181) | about 4 years ago | (#32957232)

I'm not 100% sure but I think that facebook makes some changes to pictures you upload, compresses them and so forth.
That seems to be the case when I upload a large photo directly from my camera, and on facebook it has been scaled down.
So I guess it would work as long as the data doesn't get corrupted.

Re:Obvious next step (0)

Anonymous Coward | about 4 years ago | (#32958192)

Next thing we know, botnets will be making farms and taking out hits.

Re:Obvious next step (1)

Aeternitas827 (1256210) | about 4 years ago | (#32961208)

And posting inane bullshit to your wall.

Re:Obvious next step (3, Funny)

TheLink (130905) | about 4 years ago | (#32960074)

I jokingly suggested something related before- create some software to have servers to join facebook, and those servers can answer stupid quizzes like "20 Ways to know if you're a Windows 2008 R2 server".

With status messages like:
ProcessingNode192 is bored (has nothing to do)...
StorageServer01 is feeling degraded (on array #2)...

Already possible (1)

GameboyRMH (1153867) | about 4 years ago | (#32964752)

OSSEC HIDS supports status updates via twitter, so your IDS control server can gossip and bitch about the ailments of its clients like a senile small-town doctor: []

You could also use Twidge [] and your imagination to come up with some cron jobs that post server status updates.

Re:Obvious next step (1)

pinkushun (1467193) | about 4 years ago | (#32962326)

Noting that in this case, the malware did not bother hiding the messages, but just posted them as notes instead []

Finally, IRC is safe! (5, Funny)

lemur3 (997863) | about 4 years ago | (#32956758)

I was really starting to worry that these Command & Control things that use IRC chatrooms were going to ruin the good reputation that IRC has built up over the years.

Re:Finally, IRC is safe! (0)

Anonymous Coward | about 4 years ago | (#32956986)

I was really starting to worry that these Command & Control things that use IRC chatrooms were going to ruin the good reputation that IRC has built up over the years.

You made me shoot hot coffee out my nose with that comment. I should know better than to read Slashdot while drinking coffee by now...

Re:Finally, IRC is safe! (0, Flamebait)

hoggoth (414195) | about 4 years ago | (#32957462)

I'm so tired of this meme/phrase.

You didn't actually shoot coffee through your nose. (or you are an idiot)
Nobody ever spits their soda on their keyboard, or laughs so hard at a minimally clever post that they spew their soup onto their monitor.

This phrase makes me rage so much, I popped a blood vessel all over my keyboard.

Re:Finally, IRC is safe! (1)

Anonymous Coward | about 4 years ago | (#32957670)

wow you're kind of a douche bag. chill out man

Re:Finally, IRC is safe! (1)

Kozz (7764) | about 4 years ago | (#32957854)

While it's true that honest, spontaneous spit-takes are rare, they're an exceptional sight to behold -- specifically because you know they're so rare.

Re:Finally, IRC is safe! (0)

Anonymous Coward | about 4 years ago | (#32958202)

I can see it happening.
[/i want to believe]

Re:Finally, IRC is safe! (1)

Aeternitas827 (1256210) | about 4 years ago | (#32961220)

I got caught off-guard enough that I had an improperly-chewed bit of a Slim Jim that I was about to swallow try to traverse my nostril. It happens, and it can SERIOUSLY hurt.


Re:Finally, IRC is safe! (1)

lmnfrs (829146) | about 4 years ago | (#32957820)

IRC is a pretty primitive chat program, so it will never earn a good reputation. [] in case you're bored.

woosh (0)

Anonymous Coward | about 4 years ago | (#32957848)

IRC is a pretty primitive chat program, so it will never earn a good reputation. [] in case you're bored.


Re:Finally, IRC is safe! (1)

blair1q (305137) | about 4 years ago | (#32958896)

I was once booted from a #Unix IRC channel for being too smart.

True story.

is this news? (2, Informative)

WillgasM (1646719) | about 4 years ago | (#32956764)

I thought they had been doing this for a long time now.

Re:is this news? (1)

Cicada7 (1051002) | about 4 years ago | (#32957208)

fits squarely in the stuff that matters, but no, not news really.

Yes, Marianne, hackers innnovate. any other news? (1)

ehack (115197) | about 4 years ago | (#32956818)

Yes, Marianne, hackers innnovate. any other news?

Re:Yes, Marianne, hackers innnovate. any other new (1)

vxice (1690200) | about 4 years ago | (#32956956)

It may not be news in itself that they innovate but where exactly they are moving to now is news. You could just as easily say all of those words have been written before, in the dictionary. It wouldn't mean that it is not newsworthy.

The new IRC? (2, Insightful)

bjartur (1705192) | about 4 years ago | (#32956844)

Meh, IRC has been used for this purpose for a long time. Switching to the centralised Twitter service for increased anonymity is just an evolution, not a revolution.

Re:The new IRC? (1)

socz (1057222) | about 4 years ago | (#32956916)

All your IRC are belong to bots!

Bleary eyed (0)

Anonymous Coward | about 4 years ago | (#32957640)

Read that as "Hackers Using Social Networks For birth Control"... and I wondered where the news was....

Must get more sleep...

Re:Bleary eyed (1)

Aeternitas827 (1256210) | about 4 years ago | (#32961282)

I think Hackers rather use being Hackers as birth control. Not much time for getting laid when you're pwning teh intrarwebz.

Twitter (1)

MadGeek007 (1332293) | about 4 years ago | (#32957950)

Yes, use twitter. They have great uptime /s On the bright side, this could mean less SPAM in our inboxes.

And? (1)

cffrost (885375) | about 4 years ago | (#32961338)

Advertisers have been using all kinds of networks to "control their bots" since the dawn of civilization. Anyway, we each gotta do our bit... good of society, et al.

Omg Halp (0)

Anonymous Coward | about 4 years ago | (#32962298)

I can't log into the face-book, my farm is gonna die! Halp!

Please stop calling them 'cybercriminals' (1)

mhwombat (1616301) | about 4 years ago | (#32962562)

It's as if a journalist is trying to make nerdy white-collar crime sound cool.

Stop it journalists! You're making it worse! Ooh, and now they're using crimeware!

this is atleast 10 years old... (1)

hesaigo999ca (786966) | about 4 years ago | (#32962956)

So it changes from hotmail to facebook, or aol to twitter, or icq to is all the same use a free networking tool to communicate to your botnet commands .....I use /. much cooler, especially when you get modded down you can implement an auto attack for the person modding you down... ; )

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>