Hackers Increasingly Using Twitter For Botnets

Trailrunner7 writes "Spammers aren't the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims' networks. Mandiant's latest "M-Trends" report, released on Thursday, says that the company has observed an increasing number of so-called "Advanced Persistent Threats" that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported."

Why?

[woolpert]

I don't understand what the incentive is to stop using IRC for command and control.

Re:

[johnncyber]

Twitter and social networks are more likely to be used by the average person. Whereas IRC has been getting a (undeserved) bad rap for nefarious things.

Re:

[kronosopher]

Who uses Twitter and IRC's ill-repute are irrelevant to the fact that it is useful for hackers.

Re:

[BenLeeImp]

You seem to be confusing the C&C network with the infection vector. This article is about hackers using twitter, etc, as a way to provide instructions to their botnets.

Re:

[Lord Ender]

Twitter's popularity and reputation mean it is less likely to be blocked, and traffic to it is less likely to be scrutinized by security analysts.

Re:

[Anonymous Coward]

Undeserved? IRC is ridiculous and has been for some time.

Basic outline of any IRC chatroom:

captnitro: hey whats goin on
ice8229: no fuck that
captnitro: what?
peebles: your mother is a whore, you know it
ice8229: i'm not going to buy a goddamn program just to rip
ice8229: anybody know of an open one?
fisher0: i kno cuz i fuckerd her d00d
captnitro: what the hell is going on here?
adbot: MP3Z MOVIEZ WAREZ BAGELZ go to 62.182.100.10
binaryman: 1000100011110101
captnitro: huh?
binaryman: 1001111010111110
sharky: get out

Re:Why?

[rabbit994]

Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.

Re:

[shish]

Because you generally have to run your own servers

What's wrong with a private channel on a public network? (Or several for redundancy)

which means you need your own domains

What's wrong with a list of IP addresses?

Re:

[Securityemo]

Because it's a central point of failure. If the IRC admins block all the bot IPs, your command structure is broken entirely. Whereas if you set up a CnC server on a "bulletproof host", the only breakage will be from individual infected networks/hosts blocking traffic.

Re:

[surgen]

What's wrong with a private channel on a public network? (Or several for redundancy)

When I was an IRCop, whenever I found a c&c channel I would put a bot in there to gline anyone who entered. About once a month or so we'd go on hunting trips to find bots reporting to our network. Rather than build the redundancy of multiple networks into the malware, they'd rather use a system they can still fly under the radar on.

What's wrong with a list of IP addresses?

DHCP. You can't expect to find a box that can't be traced back to you and rely on it keeping the same IP address.

A list of IPs or IRC networks are finite resources. The

Re:

[AftanGustur]

I do fight APTs on a daily basis, this was a part of my work today. [virustotal.com]

Generally IRC is no longer a good C&C protocol for a number of reasons:

1) Companies are increasingly putting in place protocol filters, so that only pure HTTP gets out of the company,

2) IRC runs on a port that is almost always blocked, you could use your servers but then you come again to the problem of "your servers",

3) IRC has problems getting out through company proxies.

4) You asked "what is wrong with a list of IP addresses,

Re:

[flappinbooger]

I just read an article saying that conficker is still alive and well, but the CnC servers are being blocked and/or taken down - essentially rendering the malware mostly harmless with the head cut off.

It's interesting to read about this, I played around with tweet-my-pc a while ago and the amount of control available through the twitter system is interesting. Putting your CnC on a massive and pervasive system that someone else keeps up and pays the bills for (FB or twitter) is brilliant.

However, I heard th

Re:

[kronosopher]

Because you generally have to run your own servers which means you need your own domains (or hijack someone else) and DNS/Domains/Servers become very weak point of failure. Not to mention it's easy to discover viruses if you know which server they are connecting to. GTalk and Twitter traffic is pretty indistinguishable from legit traffic and it's easier to hide.

IRC servers are still fairly popular, and there are more than enough of them to exploit. How is using a social-network any less a point-of-failure than IRC? What makes HTTP or UDP any more or less distinguishable than plain old TCP?

Re:

[Securityemo]

The point here is, not being blocked or detected on a large scale, so you mask as the most popular protocol. Social networks have displaced IRC at this point, so they would be more useful to the botnet herders.

Re:Why?

[Anonymous Coward]

Companies are more aggressively blocking outbound traffic to services not needed by most users, such as IRC. Whereas egress HTTP/s is almost universally permitted.

Re:Why?

[John Hasler]

I don't understand what the incentive is to stop using IRC for command and control.

Getting through firewalls, I should imagine. Companies are likely to block IRC but they dare not block Twits-R-us and FaceSpace. Traffic there also seems less likely to trigger IDSs.

Re:

[shoehornjob]

This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server. It's the end users at home that have to be worried about this. Oh wait.. I forgot, these are the same people who click the link when they get a popup "your computer is infected with 800 viruses. Click here to download super duper trojan ware. Never mind.

Re:

[99BottlesOfBeerInMyF]

This shouldn't even be an issue for Corporate networks as both of those sites are probably blacklisted on the proxy server.

I don't think this is true. Most corporations these days have twitter and Facebook accounts as marketing tools. Also the execs like to go one there and spout nonsense and us it for recreation In many companies employees are encouraged to visit both sites during the day. I'm not sure of the reasoning for this (other than to make them seem more popular?) but I've seen it at several corporations.

Re:

[bberens]

My company has twitter and facebook accounts as marketing tools. There's like 3-4 people who have that site opened to them via the proxy. Everyone else has varying degrees of "freedom" to use the web. Our call center folks have the least access, developers tend to have fairly open access.

Re:

[bberens]

I wanted to join the Redhat IRC channel so I could get some help with a server issue we were having in our production environment. Apparently opening an IRC port at my company required an "ok" from the CIO of the company. Yup, for realz.

Re:

[Anonymous Coward]

IRC is less widely used than Twitter, so it is much easier to hide the command and control among the mass of Twitter messages. Also Twitter uses standard HTTP port, which is less likely to be blocked than an IRC port.

Re:

[Securityemo]

It's cleartext, and limited in behaviour to, well, IRC chatter/extra commands. I've been thinking about this, and practical solution would presumably be some sort of heavily steganographical P2P protocol able to run across several channels arbitarily - meaning the bot could mask itself as HTTP traffic, torrent traffic, etc... and switch between these protocols (like "frequency jumping") in a plausible-looking manner, or even communicate with a remote bot/CnC server masking as several simultaneous protocols.

Re:

[crackspackle]

Perhaps because http is far less likely to ever be blocked by the victim, either intentionally or because they bought some new network hardware. Also, the main use of twitter would be to inform the bot where to go if its current C&C server was taken out. At that point, it would probably try a variety of protocols to reach it until one worked.

Re:

[a Flatbed Darkly]

IRC's usually on an obvious port and has a discrete protocol of its own. There's no mistaking IRC. With Twitter everything's through HTTP, so people involved have some small level of deniability, and people are far more likely to notice an odd connection appearing on an abnormal port and look into it than they are to pay any heed to the din of HTTP.

Re:

[bberens]

The more you can blend your bits in with "legitimate" bits the harder it is to detect you.

Re:

[AndroSyn]

Because most public IRC networks actively go out of their way to rid their networks of channels used for C&C. They don't want botnets either.

Re:

[g4b]

you simply rely on a social network being more persistent I think. Maybe they only take it as an alternative.

Having to rely on IRC may need your own infrastructure, or relying on other irc services, or at least dns systems to redirect the listening ears of your little cochroaches.

Whoever thought some stupid oneliners on a fake account somewhere might trigger a DDoS attack after all?

Maybe aboing all those bot-ladies knocking on my twitter account and listening to their sexy chitchat has some pattern... mhhmm

orly?

[kronosopher]

Twitter is actually good for something after all

A lot of it might have to do

[citoxE]

with how Twitter and various other social networks utilize hyperlinks. The problem is that most URLs are shortened in messages, so all person A has to do is tell person B something is going on, and click the link to find out more. Person A clicks link, silent download commences. It's circumstances like these where I wish URL shortening would just fall off the face of the earth. It just has such a high possibility of being exploited and there's no way to see where the shortened URL will go without using som

Using web services to store and transmit data?

[BitHive]

Gee George, deez hackers shore are sophistimacated!

Re:

[Securityemo]

Insisting on sophistication in methods when herding bots would probably be inefficient - what matters is only return on effort and time spent. Kind of like robbers not picking locks, but drilling or smashing them.

Re:

[0100010001010011]

You issue it a base64 encoded URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.

I followed one of them once, they usually added layers of abstraction to make it 'difficult' for a human to follow. Meaning one tweet, lead to another tweet, lead to another tweet, lead to a URL, which had another URL which then contained something like "ping whitehouse.gov"

Re:

[Frosty Piss]

You issue [a] URL where to get more instructions. Then the attacker can use any website, google pages, etc to issue the command.

Yes you can. And this *isn't* hacking, cracking, or any hot sound-byte word.

I thought they were using Telnet?

[Guidii]

Didn't I just finish reading http://it.slashdot.org/story/11/01/27/1334224/Hackers-Bringing-Telnet-Back [slashdot.org]

Those hackers must be busy....

Re:

[SnarfQuest]

Command received. \/14gR4 ads transmitting now. Nigerian prince story queued.

Teamwork = Teams in any form

[Liger_XT5]

If a group of people play online on the same game and interact, then it's teamwork in some form. No matter what term you call it. If they want to take "Gangs" out of online games. Then take multiplayer out completely. As long as two people have the ability to be allies, there is going to be teams, as they put it, gangs.

old news

[hesaigo999ca]

I posted about this being the case way back (5 years ago?) when people were talking about IRC bots and CCs, but I got to say, it is impressive that now so many years later, people are catching up to this style of thinking, gives me hope for hackers out there..