Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Increasingly Using Twitter For Botnets

CmdrTaco posted more than 3 years ago | from the only-a-matter-of-time dept.

Botnet 56

Trailrunner7 writes "Spammers aren't the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims' networks. Mandiant's latest "M-Trends" report, released on Thursday, says that the company has observed an increasing number of so-called "Advanced Persistent Threats" that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported."

cancel ×

56 comments

Sorry! There are no comments related to the filter you selected.

Why? (1)

woolpert (1442969) | more than 3 years ago | (#35021504)

I don't understand what the incentive is to stop using IRC for command and control.

Re:Why? (2)

johnncyber (1478117) | more than 3 years ago | (#35021550)

Twitter and social networks are more likely to be used by the average person. Whereas IRC has been getting a (undeserved) bad rap for nefarious things.

Re:Why? (1)

kronosopher (1531873) | more than 3 years ago | (#35021608)

Who uses Twitter and IRC's ill-repute are irrelevant to the fact that it is useful for hackers.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35021736)

not really. the more stupid the user, the easier to fool them.

i see quite frequently sudden chats from people on facebook that i normally never chat with. "Oh, look, a Photo: http://whatever/Photo.exe". sure, i don't click it. i know the average user does (and did, as how else did they get infected?).

facebook has >half a million rather non-tech-savvy users. a nice target.

Re:Why? (1)

BenLeeImp (1347831) | more than 3 years ago | (#35021878)

You seem to be confusing the C&C network with the infection vector. This article is about hackers using twitter, etc, as a way to provide instructions to their botnets.

Re:Why? (2)

Lord Ender (156273) | more than 3 years ago | (#35021804)

Twitter's popularity and reputation mean it is less likely to be blocked, and traffic to it is less likely to be scrutinized by security analysts.

Re:Why? (1)

Anonymous Coward | more than 3 years ago | (#35021906)

Undeserved? IRC is ridiculous and has been for some time.

Basic outline of any IRC chatroom:

captnitro: hey whats goin on
ice8229: no fuck that
captnitro: what?
peebles: your mother is a whore, you know it
ice8229: i'm not going to buy a goddamn program just to rip
ice8229: anybody know of an open one?
fisher0: i kno cuz i fuckerd her d00d
captnitro: what the hell is going on here?
adbot: MP3Z MOVIEZ WAREZ BAGELZ go to 62.182.100.10
binaryman: 1000100011110101
captnitro: huh?
binaryman: 1001111010111110
sharky: get out n00b
fisher0: i am not a virgin i so fskced her! in the ears
pornking: anybody want to cyber?
10yearold: yes

Clearly the domain of kings.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35021974)

IRC is where hackers go when they don't want to be overheard

http://www.youtube.com/watch?v=wXW-HnRSrbQ

Re:Why? (4, Informative)

rabbit994 (686936) | more than 3 years ago | (#35021568)

Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.

Re:Why? (1)

shish (588640) | more than 3 years ago | (#35021650)

Because you generally have to run your own servers

What's wrong with a private channel on a public network? (Or several for redundancy)

which means you need your own domains

What's wrong with a list of IP addresses?

Re:Why? (1)

Securityemo (1407943) | more than 3 years ago | (#35021846)

Because it's a central point of failure. If the IRC admins block all the bot IPs, your command structure is broken entirely. Whereas if you set up a CnC server on a "bulletproof host", the only breakage will be from individual infected networks/hosts blocking traffic.

Re:Why? (1)

surgen (1145449) | more than 3 years ago | (#35022222)

What's wrong with a private channel on a public network? (Or several for redundancy)

When I was an IRCop, whenever I found a c&c channel I would put a bot in there to gline anyone who entered. About once a month or so we'd go on hunting trips to find bots reporting to our network. Rather than build the redundancy of multiple networks into the malware, they'd rather use a system they can still fly under the radar on.

What's wrong with a list of IP addresses?

DHCP. You can't expect to find a box that can't be traced back to you and rely on it keeping the same IP address.

A list of IPs or IRC networks are finite resources. The chances of loosing control of your bots by relying on these is higher than if you rely on something like twitter.

Re:Why? (1)

AftanGustur (7715) | more than 3 years ago | (#35022948)

I do fight APTs on a daily basis, this was a part of my work today. [virustotal.com]

Generally IRC is no longer a good C&C protocol for a number of reasons:

1) Companies are increasingly putting in place protocol filters, so that only pure HTTP gets out of the company,

2) IRC runs on a port that is almost always blocked, you could use your servers but then you come again to the problem of "your servers",

3) IRC has problems getting out through company proxies.

4) You asked "what is wrong with a list of IP addresses,", well, in a log report, IP addresses stand out like a sore thumb and are immediately visible.

Re:Why? (1)

flappinbooger (574405) | more than 3 years ago | (#35023782)

I just read an article saying that conficker is still alive and well, but the CnC servers are being blocked and/or taken down - essentially rendering the malware mostly harmless with the head cut off.

It's interesting to read about this, I played around with tweet-my-pc a while ago and the amount of control available through the twitter system is interesting. Putting your CnC on a massive and pervasive system that someone else keeps up and pays the bills for (FB or twitter) is brilliant.

However, I heard that twitter was going to start cracking down on accounts being used for such things. Perhaps they just simply can't?

Re:Why? (1)

kronosopher (1531873) | more than 3 years ago | (#35021680)

Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.

IRC servers are still fairly popular, and there are more than enough of them to exploit. How is using a social-network any less a point-of-failure than IRC? What makes HTTP or UDP any more or less distinguishable than plain old TCP?

Re:Why? (1)

Securityemo (1407943) | more than 3 years ago | (#35021886)

The point here is, not being blocked or detected on a large scale, so you mask as the most popular protocol. Social networks have displaced IRC at this point, so they would be more useful to the botnet herders.

Re:Why? (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35021578)

Companies are more aggressively blocking outbound traffic to services not needed by most users, such as IRC. Whereas egress HTTP/s is almost universally permitted.

Re:Why? (3, Insightful)

John Hasler (414242) | more than 3 years ago | (#35021590)

I don't understand what the incentive is to stop using IRC for command and control.

Getting through firewalls, I should imagine. Companies are likely to block IRC but they dare not block Twits-R-us and FaceSpace. Traffic there also seems less likely to trigger IDSs.

Re:Why? (1)

shoehornjob (1632387) | more than 3 years ago | (#35022242)

This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server. It's the end users at home that have to be worried about this. Oh wait.. I forgot, these are the same people who click the link when they get a popup "your computer is infected with 800 viruses. Click here to download super duper trojan ware. Never mind.

Re:Why? (1)

99BottlesOfBeerInMyF (813746) | more than 3 years ago | (#35022624)

This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server.

I don't think this is true. Most corporations these days have twitter and Facebook accounts as marketing tools. Also the execs like to go one there and spout nonsense and us it for recreation In many companies employees are encouraged to visit both sites during the day. I'm not sure of the reasoning for this (other than to make them seem more popular?) but I've seen it at several corporations.

Re:Why? (1)

bberens (965711) | more than 3 years ago | (#35022974)

My company has twitter and facebook accounts as marketing tools. There's like 3-4 people who have that site opened to them via the proxy. Everyone else has varying degrees of "freedom" to use the web. Our call center folks have the least access, developers tend to have fairly open access.

Re:Why? (1)

bberens (965711) | more than 3 years ago | (#35022952)

I wanted to join the Redhat IRC channel so I could get some help with a server issue we were having in our production environment. Apparently opening an IRC port at my company required an "ok" from the CIO of the company. Yup, for realz.

Re:Why? (1)

Anonymous Coward | more than 3 years ago | (#35021598)

IRC is less widely used than Twitter, so it is much easier to hide the command and control among the mass of Twitter messages. Also Twitter uses standard HTTP port, which is less likely to be blocked than an IRC port.

Re:Why? (1)

Securityemo (1407943) | more than 3 years ago | (#35021674)

It's cleartext, and limited in behaviour to, well, IRC chatter/extra commands. I've been thinking about this, and practical solution would presumably be some sort of heavily steganographical P2P protocol able to run across several channels arbitarily - meaning the bot could mask itself as HTTP traffic, torrent traffic, etc... and switch between these protocols (like "frequency jumping") in a plausible-looking manner, or even communicate with a remote bot/CnC server masking as several simultaneous protocols.

It would have to mask itself according to the type of host - a PC on a customer ISP range couldn't make itself look like a webserver but torrents would be fine, and an infected webserver could only communicate safely to the outside using answers to HTTP requests (presumably the bot could communicate by installing a custom driver in the windows networking driver chain, if I've understood those techniques correctly) and so on. An engine like that would obviously be useful for masking targeted intrusions too, not just botnets.

Re:Why? (1)

crackspackle (759472) | more than 3 years ago | (#35021842)

Perhaps because http is far less likely to ever be blocked by the victim, either intentionally or because they bought some new network hardware. Also, the main use of twitter would be to inform the bot where to go if its current C&C server was taken out. At that point, it would probably try a variety of protocols to reach it until one worked.

Re:Why? (1)

a Flatbed Darkly (1964478) | more than 3 years ago | (#35021850)

IRC's usually on an obvious port and has a discrete protocol of its own. There's no mistaking IRC. With Twitter everything's through HTTP, so people involved have some small level of deniability, and people are far more likely to notice an odd connection appearing on an abnormal port and look into it than they are to pay any heed to the din of HTTP.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35021930)

A lot of datacenters block the ports used by IRC. This wastes a lot of bots. Unless we're talking about home machines, there isn't really a reason to not use IRC.

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#35022324)

I don't understand what the incentive is to stop using IRC for command and control.

Stability. Things get nasty at 30.000+ clients

Re:Why? (1)

bberens (965711) | more than 3 years ago | (#35022894)

The more you can blend your bits in with "legitimate" bits the harder it is to detect you.

Re:Why? (1)

AndroSyn (89960) | more than 3 years ago | (#35023184)

Because most public IRC networks actively go out of their way to rid their networks of channels used for C&C. They don't want botnets either.

Re:Why? (1)

g4b (956118) | more than 3 years ago | (#35024104)

you simply rely on a social network being more persistent I think. Maybe they only take it as an alternative.

Having to rely on IRC may need your own infrastructure, or relying on other irc services, or at least dns systems to redirect the listening ears of your little cochroaches.

Whoever thought some stupid oneliners on a fake account somewhere might trigger a DDoS attack after all?

Maybe aboing all those bot-ladies knocking on my twitter account and listening to their sexy chitchat has some pattern... mhhmmm....

can your hear me now (0)

Anonymous Coward | more than 3 years ago | (#35027908)

more likely the bot will be able to get a phone home out of a corporate network if it's doing HTTP than IRC. also more likely able to pull an update or read a command.

using a HA web service just seems like a no brainier.

your have a disturbed HA service to run your command and control, you can also have a lot more points to issue commands from.

eliminates a lot of problems so long as you can evade the people trying to remove your compromised accounts on the HA host...

frist (-1)

Anonymous Coward | more than 3 years ago | (#35021508)

frist

due

orly? (2)

kronosopher (1531873) | more than 3 years ago | (#35021576)

Twitter is actually good for something after all

I had an idea like this once... (0)

Anonymous Coward | more than 3 years ago | (#35021690)

I've never actually been involved in creating, maintaining, or commanding a botnet, but in college I thought this would be an interesting project, so I spent some time thinking about it. One issue involved is: how would peers in a botnet discover each other, when I don't want to run something like a central server?

This was 2005 or so, so twitter didn't exist. My idea to make the bots do targeted vandalism to Wikipedia, in a way that looks benign (like some punk kid) but my clients would crawl the site looking for this coded vandalism, and use that to discover peers.

I never tried this, and I guess for a site like Wikipedia my clients would get banned pretty quickly, and if they ever got large in number the whole thing wouldn't work. I guess they've also added captchas for anonymous users. But twitter seems just right for this purpose: there's already a lot of noise on the site and it's doubtful that anyone is really monitoring what kind of crap people are putting there. And it has a search feature. There are already lots of spambots on there as well.

But then, someone else here suggested, why not just mooch off someone's IRC server? I suppose that would work just as well.

Re:I had an idea like this once... (0)

Anonymous Coward | more than 3 years ago | (#35021750)

/b/ + .rar FTW

oops, maybe I shouldn't have said that...

Meh (0)

Anonymous Coward | more than 3 years ago | (#35021712)

Not surprising. Bots mostly went from IRC-controlled (insecure, inefficient, unreliable, weak) to IRC+SSL-controlled (inefficient, unreliable, weak, massive-computational-cost) to proprietary P2P networks (overwhelming complexity). At the same time there was HTTP (inflexible, weak) and IM*. Bot coders are some of the laziest programmers around... of course they will let someone else solve their biggest issue.

* I never saw IM used in practice, so I don't really know the drawbacks around it. Probably hard to maintain with all the constant protocol changes.

A lot of it might have to do (2)

citoxE (1799926) | more than 3 years ago | (#35021734)

with how Twitter and various other social networks utilize hyperlinks. The problem is that most URLs are shortened in messages, so all person A has to do is tell person B something is going on, and click the link to find out more. Person A clicks link, silent download commences. It's circumstances like these where I wish URL shortening would just fall off the face of the earth. It just has such a high possibility of being exploited and there's no way to see where the shortened URL will go without using some script, it's just not that safe.

Re:A lot of it might have to do (0)

Anonymous Coward | more than 3 years ago | (#35022630)

> Person A clicks link, silent download commences.

Only if person A's computer is very mis-configured such that merely clicking on a hyperlink can somehow cause problems for it.

There's no way that merely clicking on a shortened URL should cause problems. Person A doesn't run scripts without some basic reason to trust them, right? And they *certainly* don't run executables from a completely untrusted web site. The URL might, at worst, show them an image they don't want to see, but that should be the worst of it.

I've (accidentally) visited malware domains before. I've never had a single problem, because I'm not idiotic enough to let them mess with my computer.

Re:A lot of it might have to do (0)

Anonymous Coward | more than 3 years ago | (#35028886)

'Only if person A's computer is very mis-configured such that merely clicking on a hyperlink can somehow cause problems for it.'

Add a zero day coupled with a cross-site forged request... and you don't know what you're talking about anymore.

Finally (0)

Anonymous Coward | more than 3 years ago | (#35021798)

Someone found a good use for twitter!

Using web services to store and transmit data? (2)

BitHive (578094) | more than 3 years ago | (#35021822)

Gee George, deez hackers shore are sophistimacated!

Re:Using web services to store and transmit data? (1)

Securityemo (1407943) | more than 3 years ago | (#35021960)

Insisting on sophistication in methods when herding bots would probably be inefficient - what matters is only return on effort and time spent. Kind of like robbers not picking locks, but drilling or smashing them.

http (0)

Anonymous Coward | more than 3 years ago | (#35022008)

http port is just not as blocked as other ports

Excellent! (0)

Anonymous Coward | more than 3 years ago | (#35022094)

So just block Facebook and Twitter at the firewall. Problem solved.

Whee! This security stuff is easy.

But how do you control it with only 140 characters (0)

Anonymous Coward | more than 3 years ago | (#35022158)

But how do you control it with only 140 characters to s

Re:But how do you control it with only 140 charact (1)

0100010001010011 (652467) | more than 3 years ago | (#35022510)

You issue it a base64 encoded URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.

I followed one of them once, they usually added layers of abstraction to make it 'difficult' for a human to follow. Meaning one tweet, lead to another tweet, lead to another tweet, lead to a URL, which had another URL which then contained something like "ping whitehouse.gov"

Re:But how do you control it with only 140 charact (1)

Frosty Piss (770223) | more than 3 years ago | (#35023004)

You issue [a] URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.

Yes you can. And this *isn't* hacking, cracking, or any hot sound-byte word.

What is (0)

Anonymous Coward | more than 3 years ago | (#35022612)

Google Chat?

Great idea (0)

Anonymous Coward | more than 3 years ago | (#35023150)

Wouldn't it be cool if some trojan just looked up popular hash tags and used those as some form of command? The People's Botnet, who knows what it'll do.

Re:Great idea (1)

SnarfQuest (469614) | more than 3 years ago | (#35023364)

Command received. \/14gR4 ads transmitting now. Nigerian prince story queued.

Like this? (0)

Anonymous Coward | more than 3 years ago | (#35023294)

http://twitter.com/ns111042

Teamwork = Teams in any form (1)

Liger_XT5 (1055672) | more than 3 years ago | (#35023510)

If a group of people play online on the same game and interact, then it's teamwork in some form. No matter what term you call it. If they want to take "Gangs" out of online games. Then take multiplayer out completely. As long as two people have the ability to be allies, there is going to be teams, as they put it, gangs.

old news (1)

hesaigo999ca (786966) | more than 3 years ago | (#35023594)

I posted about this being the case way back (5 years ago?) when people were talking about IRC bots and CCs, but I got to say, it is impressive that now so many years later, people are catching up to this style of thinking, gives me hope for hackers out there..

1-800-APTs! (0)

Anonymous Coward | more than 3 years ago | (#35024680)

And leave off the last "s" for savings!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>